Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-ls996scd2z
Target bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157
SHA256 bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157

Threat Level: Known bad

The file bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:48

Reported

2024-05-17 09:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2292 wrote to memory of 4252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1144 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1144 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 1144 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 1144 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 3952 wrote to memory of 2596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 2596 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 5096 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4768 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3900 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3952 wrote to memory of 3900 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3280 wrote to memory of 1500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1500 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1500 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1500 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 646645c7-480d-463c-9f20-57d9eae7854d.uuid.statsexplorer.org udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server13.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun1.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server13.statsexplorer.org tcp

Files

memory/3168-1-0x00000000047A0000-0x0000000004BA1000-memory.dmp

memory/3168-2-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/3168-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2204-4-0x000000007430E000-0x000000007430F000-memory.dmp

memory/2204-5-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/2204-7-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2204-6-0x0000000005030000-0x0000000005658000-memory.dmp

memory/2204-8-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2204-9-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/2204-10-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/2204-11-0x0000000005800000-0x0000000005866000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejdsmo0r.hb3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2204-21-0x0000000005970000-0x0000000005CC4000-memory.dmp

memory/2204-22-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/2204-23-0x0000000005E90000-0x0000000005EDC000-memory.dmp

memory/2204-24-0x0000000006FB0000-0x0000000006FF4000-memory.dmp

memory/2204-25-0x0000000007190000-0x0000000007206000-memory.dmp

memory/2204-26-0x0000000007890000-0x0000000007F0A000-memory.dmp

memory/2204-27-0x0000000007230000-0x000000000724A000-memory.dmp

memory/2204-31-0x0000000070320000-0x0000000070674000-memory.dmp

memory/2204-30-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/2204-29-0x00000000073E0000-0x0000000007412000-memory.dmp

memory/2204-42-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/3168-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2204-45-0x0000000007530000-0x000000000753A000-memory.dmp

memory/2204-44-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2204-43-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2204-41-0x0000000007420000-0x000000000743E000-memory.dmp

memory/2204-46-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/2204-47-0x0000000007550000-0x0000000007561000-memory.dmp

memory/2204-48-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/2204-49-0x00000000075C0000-0x00000000075D4000-memory.dmp

memory/2204-50-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/2204-51-0x00000000076A0000-0x00000000076A8000-memory.dmp

memory/2204-54-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3168-57-0x00000000047A0000-0x0000000004BA1000-memory.dmp

memory/3168-58-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/3168-56-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1156-59-0x00000000058A0000-0x0000000005BF4000-memory.dmp

memory/3168-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1144-69-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1156-71-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/1156-72-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/1156-82-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/1156-83-0x0000000007410000-0x0000000007421000-memory.dmp

memory/1156-84-0x0000000007460000-0x0000000007474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1652-98-0x0000000005B90000-0x0000000005EE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 425c613f3c9272cb9e467a6a9f91e34c
SHA1 ff5ab09d540b4127082175561a3277966684e3a1
SHA256 c86bc825aeafd366f79c1bd14d13d8619e552690908b87b448963fcabb04de95
SHA512 27c3b6df81e45ab74cba2756511a83fb62eee4171d6b164b3e8b649a6442cb7edb25c0ec3905ac52a8acecc58a7e8f26dec4aa1d80befdf1b458e652f5bad5da

memory/1652-100-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/1652-101-0x0000000070340000-0x0000000070694000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 777018c1a27ba9ea6839bf82966e8e93
SHA1 1e892c8629512bf94faf936150160cac37b01f58
SHA256 d53b9dfd6b7d30c4ecdcb99b19fe9f4953ecef0327e87c7ae642117a08873b17
SHA512 2c06379506b56c44c780b1f5c6b87f016cddc12ed6581222e4229248fe124f45280bc93b8cb2415a37b15e0a7d404a8cf5ea3ca7d754bdb953c09655d3737c1a

memory/4880-122-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/4880-123-0x0000000070320000-0x0000000070674000-memory.dmp

memory/1144-133-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d1b7976dbde84ae067c478c0c1842208
SHA1 36e5deacdb886e26b42701efac512a4419c8b908
SHA256 bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157
SHA512 166d5fb00327c1586fbafd563bb0c851a30d05f0dba10bfb0236789f59a39feeba6b696b0a66f1a830a3ec1305a2071fa40a40644cd3d5a2f296b97936087c10

memory/1144-141-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b850ead39075cc48590082dc6c743464
SHA1 ca50fd81f340b3f61ec19094e270b13cebda2305
SHA256 fda8f7113e332b6b936af8e55b52ad5a68417aa66645820991d1524c07a1af6e
SHA512 236e9d55594ce3366ed722e179c81fc54cc6c70fdafdf7fd8633da15bf38c4e94fa05f9b1a9a783354ba37a4811541a56dfc88bceabcf09b3f007fc10859e858

memory/2596-152-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/2596-153-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/3952-164-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5096-165-0x0000000005620000-0x0000000005974000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22a1468938e4b99b7b81fadf1ddca91f
SHA1 039c2a65114c5ea7232d2ed3d1f6e9e7f2da2d45
SHA256 262f65c6b63b555e9bdf4fb9f6d3f1caf8e4c6a9282fe65f4f8714ea621b1ffe
SHA512 62ef3ceeb2c263bfd93d32c70dcd6770db2601af58e3ed525306f210f27d7799712dac23edd1129972fa401abd9d0225d02c1b7c0a26052f6b8780918a4a6b0b

memory/5096-176-0x0000000005D00000-0x0000000005D4C000-memory.dmp

memory/5096-177-0x00000000700C0000-0x000000007010C000-memory.dmp

memory/5096-178-0x0000000070850000-0x0000000070BA4000-memory.dmp

memory/5096-188-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/5096-189-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/5096-191-0x0000000005AF0000-0x0000000005B04000-memory.dmp

memory/4768-202-0x00000000064A0000-0x00000000067F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 39818d273a243883afbc19da3661ce82
SHA1 3f8ef4c6d312be53e54b1c5994a6f9508460e00a
SHA256 7b95e5990e78e108d8428fde0ea42383c22cef49a444fa86c3e21c5c7ce56df2
SHA512 1ff9b33c07c8e712c4fc6f2a6858d7495df7e9d69c62537165c2599874faaec563bbf49f0cc0e8ac5f9b9799d511011ebc62db4398df963e5c52e279e19dd41f

memory/4768-204-0x00000000700C0000-0x000000007010C000-memory.dmp

memory/4768-205-0x0000000070240000-0x0000000070594000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3952-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3280-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3280-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-236-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3676-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-244-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3676-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3952-248-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-252-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-255-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-260-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3952-264-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:48

Reported

2024-05-17 09:51

Platform

win11-20240508-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2920 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2548 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2500 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 2500 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 2500 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe C:\Windows\rss\csrss.exe
PID 424 wrote to memory of 3448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 3448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 3448 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 880 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 1388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 1388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 1388 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 424 wrote to memory of 4004 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 424 wrote to memory of 4004 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3188 wrote to memory of 2144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 2144 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2144 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2144 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe

"C:\Users\Admin\AppData\Local\Temp\bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 15301174-b8b1-420e-9436-3d48a31f0020.uuid.statsexplorer.org udp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server14.statsexplorer.org tcp

Files

memory/2920-1-0x0000000004970000-0x0000000004D6A000-memory.dmp

memory/2920-2-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/2920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/888-4-0x000000007448E000-0x000000007448F000-memory.dmp

memory/888-5-0x0000000003150000-0x0000000003186000-memory.dmp

memory/888-6-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/888-7-0x0000000005E00000-0x000000000642A000-memory.dmp

memory/888-8-0x0000000005BA0000-0x0000000005BC2000-memory.dmp

memory/888-9-0x0000000005D50000-0x0000000005DB6000-memory.dmp

memory/888-10-0x00000000064A0000-0x0000000006506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aq5yhlwb.tzk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/888-19-0x0000000006520000-0x0000000006877000-memory.dmp

memory/888-20-0x0000000006980000-0x000000000699E000-memory.dmp

memory/888-21-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/888-22-0x0000000006F10000-0x0000000006F56000-memory.dmp

memory/888-24-0x0000000007D90000-0x0000000007DC4000-memory.dmp

memory/888-25-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/888-26-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/888-36-0x0000000007DF0000-0x0000000007E94000-memory.dmp

memory/888-35-0x0000000007DD0000-0x0000000007DEE000-memory.dmp

memory/888-37-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/2920-23-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/888-38-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/888-40-0x0000000007F10000-0x0000000007F2A000-memory.dmp

memory/888-39-0x0000000008560000-0x0000000008BDA000-memory.dmp

memory/888-41-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/888-42-0x0000000008010000-0x00000000080A6000-memory.dmp

memory/888-43-0x0000000007FB0000-0x0000000007FC1000-memory.dmp

memory/888-44-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

memory/888-45-0x0000000007FF0000-0x0000000008005000-memory.dmp

memory/888-46-0x00000000080E0000-0x00000000080FA000-memory.dmp

memory/888-47-0x0000000005800000-0x0000000005808000-memory.dmp

memory/888-50-0x0000000074480000-0x0000000074C31000-memory.dmp

memory/2920-52-0x0000000004970000-0x0000000004D6A000-memory.dmp

memory/2920-53-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/2920-54-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2920-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1880-56-0x0000000006100000-0x0000000006457000-memory.dmp

memory/1880-65-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/1880-66-0x0000000070940000-0x0000000070C97000-memory.dmp

memory/1880-75-0x0000000007800000-0x00000000078A4000-memory.dmp

memory/1880-76-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/2500-77-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1880-78-0x0000000007BA0000-0x0000000007BB5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42ab1ff4cfa4dcc1cc559192b5ac9ae0
SHA1 38e872c845b78e16252b147fc0bb4683f09dc898
SHA256 038cde1f6e445a786188d13e772a21b404e46b0af1b41c4e125356559c70a951
SHA512 fc5321ca86bdab8c53543585a56a6bb7b2647cf2bcb9337e989ad319f1a4fe9e4af09ae88cf803914ad1d2dcfde39f38a62d3e1116a08279e64b58445a1d5f8b

memory/4112-91-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4112-92-0x0000000070940000-0x0000000070C97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42e4c9204fcb0f2e0322ce9c74102101
SHA1 d0c051940f2a4026398189e6a891d689c335156e
SHA256 402077e218724fddd719b8b7f129d29a3bebdbc8a723f5a081386636d917ff85
SHA512 10abec96928e87b9f0b70605b57c5001c57bb92fd1dbd188f3e030121332603dfde7963da04a60b37caaa4a30288b7de5c4851dc4e9914be38b58a54d254d5e0

memory/2836-112-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/2836-113-0x0000000070870000-0x0000000070BC7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d1b7976dbde84ae067c478c0c1842208
SHA1 36e5deacdb886e26b42701efac512a4419c8b908
SHA256 bf222403825552c77826570cc73f47a1214ee301d9fe3ade8c94657810d3f157
SHA512 166d5fb00327c1586fbafd563bb0c851a30d05f0dba10bfb0236789f59a39feeba6b696b0a66f1a830a3ec1305a2071fa40a40644cd3d5a2f296b97936087c10

memory/2500-124-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2500-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3448-139-0x00000000058E0000-0x0000000005C37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7e444a80fbab26670c3235c27e2d38c0
SHA1 be0f42522b506c3a2580ca144574b903d3144cea
SHA256 40c2729588783aa818547a6e6f16e20fac186f51a5669ee4e5bba438a4237ea2
SHA512 20cd2011d7cfc9be42e841544f0f230e81ae06521cbb6aba52791883c07c34a89a804c5e5af713dd28ac9b01eaa08afd765ba8504ae37bac411d90c5f8705048

memory/3448-141-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/3448-142-0x0000000070890000-0x0000000070BE7000-memory.dmp

memory/880-155-0x0000000005890000-0x0000000005BE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a80e0fac227c885bd86d66204bfca8c
SHA1 f62bb12334eabbda18daa851b2ef41d2941fa0da
SHA256 9ffc7a4374b4b287aad0f229bc47d7361b5b8c166e76f4086d4b8607ad2792c8
SHA512 8a0f864eb13df6c973f3b9b8881924e18cf89a1f1ae744241a2d30de2310cacf03a820ef10339d64274c961be513e01380f15bea0d066540fb7e11cc21b597fb

memory/880-163-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/880-164-0x0000000070610000-0x000000007065C000-memory.dmp

memory/880-165-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/880-174-0x0000000007090000-0x0000000007134000-memory.dmp

memory/880-175-0x0000000005C20000-0x0000000005C31000-memory.dmp

memory/880-176-0x0000000005C60000-0x0000000005C75000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 98e378a219917ed69fc72f3ebc0a8285
SHA1 326c788f8588eaa780e136bbb6f74be9a61a15cc
SHA256 fba40823ecbf2cfe132042a1ab764fac14ffd69d17f7ed52db52712820f102b7
SHA512 eca2db3e9b0096751539aac811ab9864c04a10bcb8a4ce5b0d6c764dc4a4fe711c4a9954b163945ca6603af64c3299933de813a5c7f0b87df5eb3619a99b3ea0

memory/1388-187-0x0000000070610000-0x000000007065C000-memory.dmp

memory/1388-188-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/424-197-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/424-205-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3188-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/8-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3188-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/424-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/8-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/424-219-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/424-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/8-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/424-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/424-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/424-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/424-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/424-237-0x0000000000400000-0x0000000002B0D000-memory.dmp