Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-hxzsfseh4s
Target bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19
SHA256 bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19

Threat Level: Known bad

The file bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:07

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:07

Reported

2024-05-17 07:10

Platform

win11-20240426-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\system32\cmd.exe
PID 4908 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4908 wrote to memory of 3560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3220 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 3220 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 3220 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 4144 wrote to memory of 3452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 3452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2800 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 2640 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4144 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4144 wrote to memory of 1856 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3324 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3324 wrote to memory of 232 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 232 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 232 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 232 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0e5b9fcb-9dfb-44fc-86c4-de9b4b99f433.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server8.thestatsfiles.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server8.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server8.thestatsfiles.ru tcp
N/A 127.0.0.1:3478 udp
N/A 127.0.0.1:3478 udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server8.thestatsfiles.ru tcp
BG 185.82.216.96:443 server8.thestatsfiles.ru tcp

Files

memory/4980-1-0x0000000004A20000-0x0000000004E26000-memory.dmp

memory/4980-2-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/4980-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2056-4-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/2056-5-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

memory/2056-7-0x0000000074D50000-0x0000000075501000-memory.dmp

memory/2056-6-0x00000000053E0000-0x0000000005A0A000-memory.dmp

memory/2056-8-0x00000000052D0000-0x00000000052F2000-memory.dmp

memory/2056-9-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/2056-10-0x0000000005C60000-0x0000000005CC6000-memory.dmp

memory/2056-11-0x0000000074D50000-0x0000000075501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apb0osq5.eu2.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2056-20-0x0000000005CD0000-0x0000000006027000-memory.dmp

memory/2056-21-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/2056-22-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/2056-23-0x0000000006710000-0x0000000006756000-memory.dmp

memory/2056-26-0x0000000074D50000-0x0000000075501000-memory.dmp

memory/2056-25-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/2056-36-0x00000000075E0000-0x00000000075FE000-memory.dmp

memory/2056-37-0x0000000007600000-0x00000000076A4000-memory.dmp

memory/2056-27-0x0000000071140000-0x0000000071497000-memory.dmp

memory/2056-24-0x00000000075A0000-0x00000000075D4000-memory.dmp

memory/2056-38-0x0000000074D50000-0x0000000075501000-memory.dmp

memory/2056-40-0x0000000007740000-0x000000000775A000-memory.dmp

memory/2056-39-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/2056-41-0x0000000007780000-0x000000000778A000-memory.dmp

memory/2056-42-0x0000000007890000-0x0000000007926000-memory.dmp

memory/2056-43-0x0000000007790000-0x00000000077A1000-memory.dmp

memory/2056-44-0x00000000077D0000-0x00000000077DE000-memory.dmp

memory/2056-45-0x0000000007800000-0x0000000007815000-memory.dmp

memory/2056-46-0x0000000007850000-0x000000000786A000-memory.dmp

memory/2056-47-0x0000000007870000-0x0000000007878000-memory.dmp

memory/2056-50-0x0000000074D50000-0x0000000075501000-memory.dmp

memory/4980-52-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2184-61-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

memory/4980-62-0x0000000004A20000-0x0000000004E26000-memory.dmp

memory/4980-63-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/2184-64-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/2184-65-0x0000000071160000-0x00000000714B7000-memory.dmp

memory/2184-74-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/2184-75-0x0000000007570000-0x0000000007581000-memory.dmp

memory/2184-76-0x00000000075C0000-0x00000000075D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 717b3022bdfa374df2da1382ceee409c
SHA1 6a88069b5e5b07b0301877d8f4df13804c589cea
SHA256 f97b0c3c75306ce481010d925810ae3f94e3f639190c41710125de66742a90a9
SHA512 add5556313c603957b7f63d5cfcc1bb6961a1da53cd8388dff454c6397bd748f8f87e7785bacecd692c60088fb4e41331bb0a4c5be0d57746ccb3d24720892f8

memory/2468-89-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/2468-90-0x0000000071140000-0x0000000071497000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 08a29fb7f601dd34b97d2662bb4b6be0
SHA1 9010bb02698ba5b073bb9cfe73d8014881fedc9e
SHA256 bf491be9248f80d3c0758d2a7061be875e89e451f4c9c83b043fc2252cdf170d
SHA512 537d4dbbd9e647b36c291538e0624a4be36be8cea5b88c54071c16a9c5fec34a8e5d9047d2226eedc26db7f587fc468bdd53a6a4a86f779932c8be2aaa76a84b

memory/3676-110-0x0000000071160000-0x00000000714B7000-memory.dmp

memory/3676-109-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/4980-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3220-120-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 18c0f2c32548e13a4e17828be516cec7
SHA1 134111afcd19cf832997beb1e5aceafcf1ae23d7
SHA256 bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19
SHA512 cbef2305415c14a759f8f3caab7c0b7a75740d37199e311006a9e86afa5f904b7006be4bb0687c10a5dcece790f71006b053a85bc3849691960e7b809d983738

memory/3220-126-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 70b86e82d68d95bb21cddc4fc81826ef
SHA1 580b2b8c3d0cab2f78e790559011adf49ab96610
SHA256 452780bf27ea37117ff8536812b0743a37808aa28eb9724fde891d4945f888d6
SHA512 1d60bd778d738b141d1f80beca145f44652db2c8b2c33ba4a840e475224fa2e004bae1fa4bbbabe119d462f704f6d18622a48d5405dcfba1ed46524d8ae2e2cb

memory/3452-138-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/3452-139-0x0000000071160000-0x00000000714B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 30068f08b720ee2942ed358daf16e062
SHA1 252a00d6d9791e9c2a95a1fca63b81f9c1c33491
SHA256 ba74cafa12c2d1373dd179782e227ba2ec4bb2f4fe423c5ed6e6bf857a6d90fd
SHA512 53c198eaa40ecd858acb1ff6363e5c235b300d58f18dd4d0d33537e25354f130bf7ab3acbb0baef15385c150c4e1f9dbee3f2bdfabc148470135d1d50a562144

memory/2800-159-0x0000000006520000-0x000000000656C000-memory.dmp

memory/2800-157-0x0000000006130000-0x0000000006487000-memory.dmp

memory/2800-160-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/2800-170-0x0000000007760000-0x0000000007804000-memory.dmp

memory/2800-161-0x0000000071060000-0x00000000713B7000-memory.dmp

memory/2800-171-0x0000000007A90000-0x0000000007AA1000-memory.dmp

memory/2800-173-0x0000000005E60000-0x0000000005E75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0af1f77ed065016a4ddd004f8903154f
SHA1 e821ad9975ae4660197aee59da0edafb67b8bb69
SHA256 458a7eac2dd5d61d8119f2d0e8e7322e18e2210c81a1c7ec9dd7d42c5d1fd9ae
SHA512 7f52da31c22ee0ca42f3201e7a31e426c1442902877f1aeb232258b312a7971da975fcac337d510c21550c4d29b9f2e9bdd88c70363a3d798d177d9ca4acfbd2

memory/2640-183-0x0000000005DB0000-0x0000000006107000-memory.dmp

memory/2640-186-0x0000000071080000-0x00000000713D7000-memory.dmp

memory/2640-185-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/4144-196-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4144-206-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3324-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2824-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3324-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4144-214-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2824-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4144-217-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2824-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4144-220-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-223-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-226-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-229-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-232-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-235-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-238-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4144-241-0x0000000000400000-0x0000000002B0C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:07

Reported

2024-05-17 07:10

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\system32\cmd.exe
PID 3492 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4336 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3492 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 3492 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 3492 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe C:\Windows\rss\csrss.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 5116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 2184 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 5080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3652 wrote to memory of 5080 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4948 wrote to memory of 1404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4948 wrote to memory of 1404 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe

"C:\Users\Admin\AppData\Local\Temp\bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 a9860d37-8e05-43c8-8dd8-27e1195b9ae5.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.thestatsfiles.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server6.thestatsfiles.ru tcp

Files

memory/2312-1-0x0000000004750000-0x0000000004B52000-memory.dmp

memory/2312-2-0x0000000004B60000-0x000000000544B000-memory.dmp

memory/2312-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5044-5-0x0000000002BF0000-0x0000000002C26000-memory.dmp

memory/5044-6-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/5044-7-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/5044-8-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/5044-9-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/5044-10-0x00000000051E0000-0x0000000005202000-memory.dmp

memory/2312-4-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/5044-11-0x0000000005AE0000-0x0000000005B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iugnejno.fdr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5044-21-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/5044-22-0x0000000005CC0000-0x0000000006014000-memory.dmp

memory/5044-23-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/5044-24-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/5044-25-0x00000000066F0000-0x0000000006734000-memory.dmp

memory/5044-26-0x00000000074D0000-0x0000000007546000-memory.dmp

memory/5044-27-0x0000000007BD0000-0x000000000824A000-memory.dmp

memory/5044-28-0x0000000007570000-0x000000000758A000-memory.dmp

memory/5044-32-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/5044-42-0x0000000007760000-0x000000000777E000-memory.dmp

memory/5044-43-0x0000000007780000-0x0000000007823000-memory.dmp

memory/5044-31-0x00000000709E0000-0x0000000070D34000-memory.dmp

memory/5044-30-0x0000000070860000-0x00000000708AC000-memory.dmp

memory/5044-29-0x0000000007720000-0x0000000007752000-memory.dmp

memory/5044-44-0x0000000007870000-0x000000000787A000-memory.dmp

memory/5044-46-0x0000000007980000-0x0000000007A16000-memory.dmp

memory/5044-45-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/5044-47-0x0000000007880000-0x0000000007891000-memory.dmp

memory/5044-48-0x00000000078C0000-0x00000000078CE000-memory.dmp

memory/5044-49-0x00000000078E0000-0x00000000078F4000-memory.dmp

memory/5044-50-0x0000000007920000-0x000000000793A000-memory.dmp

memory/5044-51-0x0000000007910000-0x0000000007918000-memory.dmp

memory/5044-54-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2312-58-0x0000000004B60000-0x000000000544B000-memory.dmp

memory/2312-55-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2312-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2008-59-0x00000000060A0000-0x00000000063F4000-memory.dmp

memory/2008-69-0x0000000006BF0000-0x0000000006C3C000-memory.dmp

memory/2008-70-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/2008-71-0x0000000071100000-0x0000000071454000-memory.dmp

memory/2008-81-0x00000000078E0000-0x0000000007983000-memory.dmp

memory/3492-82-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2008-83-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/2008-84-0x0000000007C00000-0x0000000007C14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9caed03023e1c7f9e91743c36f172ae3
SHA1 fddc2acd28f077e5a3fc4196130b8f5d88c0a6e4
SHA256 986d0a7bee476c8bf88735b2c09ff121e3f9a03dad961b03364029748b06bb2f
SHA512 5b8823a8fb319ec9b1498d4ac99e0054b4dc2e069af8295731ce004f86058861e20672e7c34bd2f674bc4096e5ed2165ea1468e2bcac9ae307cbbde283e5b6d0

memory/4728-98-0x0000000070960000-0x00000000709AC000-memory.dmp

memory/4728-99-0x0000000071100000-0x0000000071454000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4fb02fe027085eef79455d7199c548f5
SHA1 0967f51d0d948b11c13947632f99b2d715517672
SHA256 a7db7a2f6cd100934240eaaf1ffe73b6978e4436be682dfc492f8be8eff62170
SHA512 9be12428d7e9b61f4b36ec73768dad19a1c698ba1e37925f522c0c0bc625d9e5957aa95b10da11783323d7f6d43f8a87f4493c8b72b7e6abf9f9839aa49ba997

memory/4624-121-0x0000000071100000-0x0000000071454000-memory.dmp

memory/4624-120-0x0000000070960000-0x00000000709AC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 18c0f2c32548e13a4e17828be516cec7
SHA1 134111afcd19cf832997beb1e5aceafcf1ae23d7
SHA256 bcf60610432d21ff4db8159dcc311d612f7e9e94fead7a6ed4b3bf6c7cda9e19
SHA512 cbef2305415c14a759f8f3caab7c0b7a75740d37199e311006a9e86afa5f904b7006be4bb0687c10a5dcece790f71006b053a85bc3849691960e7b809d983738

memory/3492-135-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/5116-138-0x0000000006160000-0x00000000064B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f07062fd257d35a81715865f721a5095
SHA1 7c227e423537bf12ae2b2339026019b7fdaf9702
SHA256 e9dea73e751aba7960cc3c23a947486fd3619beaed48156108599d2d119082e6
SHA512 b5b1a329655e9b80dc8929d748bcc23cf93debea530381716f7254bd831795524b9146e70d2898220408e677c08839df6b748a74339d77446c499f57b4a400bd

memory/5116-149-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/5116-150-0x00000000708C0000-0x000000007090C000-memory.dmp

memory/5116-151-0x0000000071060000-0x00000000713B4000-memory.dmp

memory/5116-161-0x0000000007A00000-0x0000000007AA3000-memory.dmp

memory/5116-162-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/3652-163-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/5116-164-0x00000000065E0000-0x00000000065F4000-memory.dmp

memory/4116-175-0x00000000056C0000-0x0000000005A14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42bdf4732e8632ab4e472d1e2881ffbc
SHA1 2db1cad4fbdaa1419f9230e7e8b7bf0ee31ade18
SHA256 d587bf6038fc28f768ed4a2b7624356ded12118e5a96d3ec2b7108f0f59df22d
SHA512 9490d80d6c16b98e4daa53a5a582a3299e19b0d59bd4148230d09b043a4f34329a5973d92dea6cb279a808eb32a0ac25ac171ac19f286152fe41a7403c906831

memory/4116-177-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/4116-178-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/4116-179-0x0000000070960000-0x0000000070CB4000-memory.dmp

memory/4116-189-0x0000000006DF0000-0x0000000006E93000-memory.dmp

memory/4116-190-0x0000000007140000-0x0000000007151000-memory.dmp

memory/4116-191-0x0000000005440000-0x0000000005454000-memory.dmp

memory/2184-202-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a08e1090a00ceb2d1e543e989097598d
SHA1 72eade5b0cb049005c2fe9a5f3fad4ca60ac5110
SHA256 d9d070e85046a318b9fad6990eff06a647d0f80d3005dd655cbddbe5f16d48a3
SHA512 465b08329ac2a8af0e23f5a4df39fa48abeca65d4051fef638cb4ea214d15852bb1538bb69b7ed6fec49f400b007dc06df592d4f9770afcc6d5b99cf3217f6de

memory/2184-204-0x00000000707E0000-0x000000007082C000-memory.dmp

memory/2184-205-0x0000000070F90000-0x00000000712E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3652-221-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4948-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4948-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3652-230-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3752-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3652-231-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3752-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3652-236-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-238-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-239-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-241-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-244-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3652-246-0x0000000000400000-0x0000000002B0C000-memory.dmp