Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-vj39yafg77
Target b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51
SHA256 b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51

Threat Level: Known bad

The file b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 17:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 17:02

Reported

2024-05-09 17:04

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\system32\cmd.exe
PID 4776 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4776 wrote to memory of 1808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2992 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2992 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 2992 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 2992 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 1448 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 428 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 4412 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 1220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1448 wrote to memory of 1220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4248 wrote to memory of 4980 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4980 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4980 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4980 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4980 wrote to memory of 3892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 b4a99888-8bb3-4549-b484-67ba889e6b74.uuid.filesdumpplace.org udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server16.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server16.filesdumpplace.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server16.filesdumpplace.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server16.filesdumpplace.org tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3324-1-0x00000000031F0000-0x00000000035EE000-memory.dmp

memory/3324-2-0x0000000004F90000-0x000000000587B000-memory.dmp

memory/3324-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/968-4-0x000000007429E000-0x000000007429F000-memory.dmp

memory/968-5-0x00000000031A0000-0x00000000031D6000-memory.dmp

memory/968-6-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/968-8-0x00000000059C0000-0x0000000005FE8000-memory.dmp

memory/3324-7-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/968-10-0x00000000058A0000-0x00000000058C2000-memory.dmp

memory/968-11-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/968-9-0x0000000074290000-0x0000000074A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0rq1o1e.cnw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/968-21-0x0000000006110000-0x0000000006176000-memory.dmp

memory/968-22-0x0000000006290000-0x00000000065E4000-memory.dmp

memory/968-23-0x00000000066D0000-0x00000000066EE000-memory.dmp

memory/968-24-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/968-25-0x0000000006B70000-0x0000000006BB4000-memory.dmp

memory/968-26-0x0000000007A90000-0x0000000007B06000-memory.dmp

memory/968-27-0x0000000008190000-0x000000000880A000-memory.dmp

memory/968-28-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/968-29-0x0000000007CE0000-0x0000000007D12000-memory.dmp

memory/968-31-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/968-32-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/968-30-0x0000000070130000-0x000000007017C000-memory.dmp

memory/968-42-0x0000000007D20000-0x0000000007D3E000-memory.dmp

memory/968-43-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/968-44-0x0000000007D40000-0x0000000007DE3000-memory.dmp

memory/968-45-0x0000000007E50000-0x0000000007E5A000-memory.dmp

memory/968-46-0x0000000007F60000-0x0000000007FF6000-memory.dmp

memory/968-47-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/968-48-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

memory/968-49-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

memory/968-50-0x0000000007F00000-0x0000000007F1A000-memory.dmp

memory/968-51-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

memory/968-54-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/3324-57-0x00000000031F0000-0x00000000035EE000-memory.dmp

memory/3324-56-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3324-58-0x0000000004F90000-0x000000000587B000-memory.dmp

memory/3324-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3528-60-0x0000000006120000-0x0000000006474000-memory.dmp

memory/2992-70-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3528-72-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/3528-71-0x0000000070130000-0x000000007017C000-memory.dmp

memory/3528-82-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/3528-83-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/3528-84-0x0000000007C90000-0x0000000007CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 239cad4d9a140218ab7caa32600b8752
SHA1 c037605f08e6eadc2ecfaa9be30d13e4510963c1
SHA256 6588a2199f06e7fcf11084e59dde4b8c8d6040836d6664411222d2ebabb9ab44
SHA512 607f95498aad5e4d649e59d64221c7c63b96d6a42c1d5b53c4f9ab16aeb61a1bdde68cc7190807567ceef1b64cd56b85dc93ee303848aacc1eb88e43416d0310

memory/2564-99-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2564-100-0x00000000702B0000-0x0000000070604000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d9856b5f0fdac3ab642411c9934cf64
SHA1 f5692efee2bbf7c577da6306e11677965b35b057
SHA256 89919626e62789583b0a627846e01d2f5ae87a96c3d02426d23941542d40d390
SHA512 046922a4f2e6394a28ec04b14daa688e4e5faab8592fbdabbc8a34c8bdf046473e6f4a0bc9c789a5b28c5400e5ed42f428f70d6b36a7ac1e0dbab1f60841f9e9

memory/4976-121-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4976-122-0x00000000708B0000-0x0000000070C04000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eb9df0160ed192efc462adb201695525
SHA1 6cc4b2ddd3e2de41f1d67d032916eb6e256d8554
SHA256 b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51
SHA512 0b5256997333c513d230d599deef0ea0d958ad3431b806b70a95ce9af8fa43487c2fecfb95f7312d3388d9630e1ec2f4faae2f1067dd54b13bd76e80855f2460

memory/2992-136-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-140-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1faf2440ea3c261da5aeb5334413b8a
SHA1 54dad22bdc26cc17092c6ff1d9544465fd67028b
SHA256 3155e837330001b50246cf194256bcb27e703fecde631d66944724eb6aef715f
SHA512 700075e3ec0bf950cdc3a4f34f33ba3b7e89e5b21e17183543dd2c8fd9b342ed07802f544b5684f0e498c6487414e4f3325e60d036378070c000236ed17af233

memory/4068-151-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4068-152-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/428-173-0x0000000005CB0000-0x0000000006004000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f9cd3eeaf61e447d0e392315edee55e5
SHA1 23da4e277b6603ffa8a996da00cab5eb5a70ae40
SHA256 150c2b139001e88fca8be8f201fcb4b1d8beb2d8ac3e749514b1ac5f654aaaad
SHA512 780945f4458577c811a5cdebf4ec2172b131d3bf15686f37cfb126fd34727d2ecbcbe19ea745a3a74bcac48cad14a81805ad2b088e1cc3408bc40f0225ab1cdc

memory/428-175-0x0000000006910000-0x000000000695C000-memory.dmp

memory/428-176-0x0000000070050000-0x000000007009C000-memory.dmp

memory/428-177-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/428-187-0x00000000075D0000-0x0000000007673000-memory.dmp

memory/428-188-0x0000000007920000-0x0000000007931000-memory.dmp

memory/428-189-0x00000000061B0000-0x00000000061C4000-memory.dmp

memory/4412-200-0x00000000060C0000-0x0000000006414000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 293ae70a346563ee0380e4158d90ba55
SHA1 d2304f3f6d5e60f8f2c045a3a643b15c71624e2e
SHA256 3b65fcb2c5d0a4a8da982f98fa3739f7c33823e72bd1e9e8452a1e20b3541610
SHA512 55067d51eaa253a0af185ee54987442090242dfd99d1fd6c3e672ba43a9e604293591e3738d9d23f06dc5cdd00921e57d827f225640a411e56ce31f5bcc6a4f9

memory/4412-203-0x00000000701F0000-0x0000000070544000-memory.dmp

memory/4412-202-0x0000000070050000-0x000000007009C000-memory.dmp

memory/1448-213-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4248-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-224-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/4248-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-231-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2124-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-234-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-237-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2124-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-240-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-243-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-246-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-249-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1448-252-0x0000000000400000-0x0000000002ED6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 17:02

Reported

2024-05-09 17:04

Platform

win11-20240426-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2948 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3776 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3776 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 3776 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 3776 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe C:\Windows\rss\csrss.exe
PID 2260 wrote to memory of 3700 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3700 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3700 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3700 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3700 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe

"C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59b62ae2-13a7-47b5-a2c0-5ac8d96e5439.uuid.filesdumpplace.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp
BG 185.82.216.96:443 server14.filesdumpplace.org tcp

Files

memory/2512-1-0x0000000003200000-0x0000000003603000-memory.dmp

memory/2512-2-0x0000000005030000-0x000000000591B000-memory.dmp

memory/2512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2968-4-0x00000000743AE000-0x00000000743AF000-memory.dmp

memory/2968-5-0x00000000051B0000-0x00000000051E6000-memory.dmp

memory/2968-7-0x0000000005820000-0x0000000005E4A000-memory.dmp

memory/2968-6-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/2968-8-0x0000000005E80000-0x0000000005EA2000-memory.dmp

memory/2968-9-0x0000000006020000-0x0000000006086000-memory.dmp

memory/2968-11-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/2968-10-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/2968-14-0x0000000006100000-0x0000000006457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmabgqgr.afc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2968-21-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/2968-22-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/2968-23-0x0000000006B40000-0x0000000006B86000-memory.dmp

memory/2968-25-0x0000000070610000-0x000000007065C000-memory.dmp

memory/2968-26-0x0000000070860000-0x0000000070BB7000-memory.dmp

memory/2968-35-0x0000000007A40000-0x0000000007A5E000-memory.dmp

memory/2968-36-0x0000000007A60000-0x0000000007B04000-memory.dmp

memory/2968-24-0x00000000079E0000-0x0000000007A14000-memory.dmp

memory/2968-38-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/2968-37-0x00000000081D0000-0x000000000884A000-memory.dmp

memory/2968-39-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

memory/2968-40-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/2968-41-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/2968-42-0x0000000007C40000-0x0000000007C4E000-memory.dmp

memory/2968-43-0x0000000007C50000-0x0000000007C65000-memory.dmp

memory/2968-44-0x0000000007D50000-0x0000000007D6A000-memory.dmp

memory/2968-45-0x0000000007D30000-0x0000000007D38000-memory.dmp

memory/2968-48-0x00000000743A0000-0x0000000074B51000-memory.dmp

memory/2512-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2512-52-0x0000000005030000-0x000000000591B000-memory.dmp

memory/2512-49-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1988-61-0x0000000005AE0000-0x0000000005E37000-memory.dmp

memory/1988-62-0x0000000006050000-0x000000000609C000-memory.dmp

memory/1988-63-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1988-64-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/1988-73-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/1988-74-0x0000000007540000-0x0000000007551000-memory.dmp

memory/1988-75-0x0000000007590000-0x00000000075A5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/892-87-0x0000000006250000-0x00000000065A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e60e119c91e7d11cf5d2f6f214f89fe8
SHA1 d97882662652275b6796417e135bfff2c39b751f
SHA256 d2c269179d3cd7c4b4383452b6dcd4d5d6f63e04af4b7acbecde5cac28983754
SHA512 57204a142d0ed18d1de252f3dd58ff1cbee86c872199f76d7a2a8e387db33bd0ff7672a93d48ef204b72a34cd43f617a8ca84266d7da205a2b81323490314b47

memory/892-89-0x0000000070720000-0x000000007076C000-memory.dmp

memory/892-90-0x0000000070970000-0x0000000070CC7000-memory.dmp

memory/3776-99-0x0000000000400000-0x0000000002ED6000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d003b200e95173feb0c6305ba5b371e7
SHA1 67bb431f35ae229e29afb688c468968b291accec
SHA256 03940237ff9c13e768960f4fb3f7a78acb82227c5205c4318de41ed970153829
SHA512 1b1afea44b8ae12cb727a8d854c69e22d227383a47e50492d459660eadff138a084b0393779b2494f4d86d33bcf7b996fbb1f3cdce0730618dcdd2ad635192a7

memory/708-110-0x0000000070720000-0x000000007076C000-memory.dmp

memory/708-111-0x0000000070970000-0x0000000070CC7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 eb9df0160ed192efc462adb201695525
SHA1 6cc4b2ddd3e2de41f1d67d032916eb6e256d8554
SHA256 b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51
SHA512 0b5256997333c513d230d599deef0ea0d958ad3431b806b70a95ce9af8fa43487c2fecfb95f7312d3388d9630e1ec2f4faae2f1067dd54b13bd76e80855f2460

memory/3776-124-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2092-125-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/3132-134-0x0000000006370000-0x00000000066C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b488b9fce32465048b7bd85c41129856
SHA1 acb76533ab73e06fb96eb4c38788dd3eb3e4b213
SHA256 d15995cc7065976819294ac13fd9e35db218e3dc17bfb970b98555123adb4e87
SHA512 2cedf925d65efce5d6de5b320fe7d6524efc8f1a73953431a7656a84bc7c38f7f18ed321e10e3bd1abdb84e761b7f134d27dc685fb76c6fb618b76bca152fa47

memory/3132-136-0x0000000006E40000-0x0000000006E8C000-memory.dmp

memory/3132-137-0x0000000070680000-0x00000000706CC000-memory.dmp

memory/3132-138-0x00000000708D0000-0x0000000070C27000-memory.dmp

memory/3132-147-0x0000000007B80000-0x0000000007C24000-memory.dmp

memory/3132-148-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/3132-149-0x00000000066F0000-0x0000000006705000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d71238b060c35c905295d13a4529612
SHA1 e4a940ec3c1cfecb07825351e7e232627a293c0e
SHA256 0965fa473866a5c0e3a200029e3245ca62067496d884500fe8cbe839b0d8cdb6
SHA512 dfd4688163ba3a03ba6660d8aff92cad59d2911d43bfb97b01f733643e83803aeeb40f9275b2feaaa21615872db3baee780ef0c110c83b51d94c43d56509d64f

memory/2272-160-0x00000000058A0000-0x0000000005BF7000-memory.dmp

memory/2272-161-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/2272-162-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/2272-172-0x0000000006FC0000-0x0000000007064000-memory.dmp

memory/2272-163-0x0000000070720000-0x0000000070A77000-memory.dmp

memory/2272-173-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/2272-174-0x0000000005690000-0x00000000056A5000-memory.dmp

memory/4804-184-0x00000000063C0000-0x0000000006717000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7a6a7ee51f295f88fe8f79fc68deebed
SHA1 be0cbbb3ce9beca7e8b80619750e80a57033836f
SHA256 3db786d474d4bdcbf8d84ac5746fddc3714b8871b866dfe4053a8c3aa30bb647
SHA512 71aeedffb1af23ceb4b723107e9f6bfcef747b200cfed32d66947ae8c22e5b6d64e2e3532596a855c84f79a5e5830b130ebba20979b1caee1a16448fcb10a4ad

memory/4804-186-0x00000000705A0000-0x00000000705EC000-memory.dmp

memory/4804-187-0x00000000707F0000-0x0000000070B47000-memory.dmp

memory/2092-201-0x0000000074DC0000-0x0000000074DDE000-memory.dmp

memory/2092-199-0x0000000074CE0000-0x0000000074D21000-memory.dmp

memory/2092-198-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2260-202-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1468-203-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2260-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2092-212-0x0000000074C30000-0x0000000074C71000-memory.dmp

memory/2092-211-0x0000000074C50000-0x0000000074C61000-memory.dmp

memory/2092-208-0x0000000074C70000-0x0000000074CD7000-memory.dmp

memory/2092-207-0x0000000074CE0000-0x0000000074D21000-memory.dmp

memory/2092-206-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1468-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2092-216-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2092-226-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/1468-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2092-236-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2092-246-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2092-256-0x0000000000400000-0x0000000002ED6000-memory.dmp

memory/2092-266-0x0000000000400000-0x0000000002ED6000-memory.dmp