Malware Analysis Report

2025-01-02 06:28

Sample ID 240516-lsw3jsfb98
Target ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
SHA256 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
Tags
glupteba discovery dropper evasion execution loader persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef

Threat Level: Known bad

The file ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 09:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 09:48

Reported

2024-05-16 09:50

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\system32\cmd.exe
PID 4484 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3788 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4484 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 4484 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 4484 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 3648 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 1564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 2196 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3648 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3648 wrote to memory of 2568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1032,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77fe7467-64c1-4e90-845e-53363e348bfc.uuid.allstatsin.ru udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.allstatsin.ru udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/2700-1-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/2740-2-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/2740-3-0x0000000002690000-0x00000000026C6000-memory.dmp

memory/2740-4-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/2740-5-0x0000000005270000-0x0000000005898000-memory.dmp

memory/2740-6-0x0000000005110000-0x0000000005132000-memory.dmp

memory/2740-7-0x0000000005910000-0x0000000005976000-memory.dmp

memory/2740-8-0x0000000005980000-0x00000000059E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcmuyy4v.a32.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2740-18-0x00000000059F0000-0x0000000005D44000-memory.dmp

memory/2740-19-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/2740-20-0x0000000006050000-0x000000000609C000-memory.dmp

memory/2740-21-0x0000000006500000-0x0000000006544000-memory.dmp

memory/2740-22-0x00000000070D0000-0x0000000007146000-memory.dmp

memory/2740-24-0x0000000007370000-0x000000000738A000-memory.dmp

memory/2740-23-0x00000000079D0000-0x000000000804A000-memory.dmp

memory/2740-25-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/2740-27-0x000000006FF00000-0x000000006FF4C000-memory.dmp

memory/2740-26-0x0000000007550000-0x0000000007582000-memory.dmp

memory/2740-28-0x0000000070680000-0x00000000709D4000-memory.dmp

memory/2740-38-0x0000000007590000-0x00000000075AE000-memory.dmp

memory/2740-39-0x00000000075B0000-0x0000000007653000-memory.dmp

memory/2740-40-0x00000000076A0000-0x00000000076AA000-memory.dmp

memory/2740-41-0x0000000007760000-0x00000000077F6000-memory.dmp

memory/2740-42-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/2740-43-0x0000000007700000-0x000000000770E000-memory.dmp

memory/2740-44-0x0000000007710000-0x0000000007724000-memory.dmp

memory/2740-45-0x0000000007800000-0x000000000781A000-memory.dmp

memory/2740-46-0x0000000007740000-0x0000000007748000-memory.dmp

memory/2740-49-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/2700-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2700-51-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/4484-53-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/4180-63-0x00000000059B0000-0x0000000005D04000-memory.dmp

memory/4180-64-0x0000000006430000-0x000000000647C000-memory.dmp

memory/4180-65-0x0000000070000000-0x000000007004C000-memory.dmp

memory/4180-66-0x0000000070180000-0x00000000704D4000-memory.dmp

memory/4180-76-0x0000000007120000-0x00000000071C3000-memory.dmp

memory/4180-77-0x0000000007410000-0x0000000007421000-memory.dmp

memory/4180-78-0x0000000007460000-0x0000000007474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7f12c7b0146bbf9f5da5a0ee33ef4bd
SHA1 f2c9389b036bf65b60b93dc44a4651b0292466a5
SHA256 1239851965780a9200ad9ae1ff6e02eaaf09f48cc54fdf2b0e5349ff646f2387
SHA512 b5b97e81a548b753cc6fd0977da59df80913960870fecf730a2033f30cf5b98d1e1f3b14cd36e7d864b21d935b30ee9e368af85e4514909d128f5e6c7ee202a0

memory/2296-92-0x0000000070000000-0x000000007004C000-memory.dmp

memory/2296-93-0x0000000070180000-0x00000000704D4000-memory.dmp

memory/868-113-0x0000000005860000-0x0000000005BB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 533ad1196f0a9c4557a14a1da406ae28
SHA1 76fd7d6c6daed15e32077952bd161f08aa53fbd0
SHA256 d303f312f9eb5c1c0a985c71c3539454632e2f5ec4811fdb68778a6225fb11f6
SHA512 0750eed314a9e3f821bcefd3d642270012c45d67ef94aa30ee2cd5c91f942825fec0c34208bca58a51a04efbcd8dfefd28d1fef6394a20d5589032420e4b97a2

memory/868-115-0x0000000070000000-0x000000007004C000-memory.dmp

memory/868-116-0x00000000707A0000-0x0000000070AF4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a3c419f3f21ea2b1f953b6afffa93ab3
SHA1 fc3d57e90e505d0ea5a1194bc0d244eac6924505
SHA256 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
SHA512 ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac

memory/4484-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4484-131-0x00007FFA4E290000-0x00007FFA4E485000-memory.dmp

memory/1564-134-0x0000000005510000-0x0000000005864000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 660411ffc82bf6a37a0e6a02e34f2649
SHA1 389956ca9ad931917ac69bfad9d14fdc8da74bb8
SHA256 eb9ae1803567829b6696d3f514691320ba352efbbd4f374a99cfe941fa39bcb3
SHA512 9edc2b6c04e154054e212cd840da64d4b406c0b2b8fcba7be7552597553083fd267e71d3d84ada389a1c07280544dfeb83d4d592481e89d2dddd4b9ca763dbc5

memory/1564-145-0x0000000005D20000-0x0000000005D6C000-memory.dmp

memory/1564-146-0x000000006FF60000-0x000000006FFAC000-memory.dmp

memory/1564-147-0x0000000070700000-0x0000000070A54000-memory.dmp

memory/1564-157-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/1564-158-0x00000000059C0000-0x00000000059D1000-memory.dmp

memory/1564-159-0x0000000005A10000-0x0000000005A24000-memory.dmp

memory/468-161-0x0000000005750000-0x0000000005AA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 807886f005a68a12ae4b340bd55e7b76
SHA1 e33d5eb7bfdd2da757b22212ef1b10fb4d7d53a2
SHA256 d3094f5c07bd7b4077cb33f98b471c396d7b37ec543e9d4025684235a0824911
SHA512 d6d344a6dcd4c41260c10edf7f76b68e79769d7855f0ed23152f3c6975bb80b405abc0390a987d736ea5805e4ed90f4d4eab2223875579f8c91fc837ffc14ea4

memory/468-172-0x0000000005E20000-0x0000000005E6C000-memory.dmp

memory/468-174-0x0000000070610000-0x0000000070964000-memory.dmp

memory/468-173-0x000000006FE80000-0x000000006FECC000-memory.dmp

memory/468-184-0x0000000006FD0000-0x0000000007073000-memory.dmp

memory/468-185-0x0000000005BB0000-0x0000000005BC1000-memory.dmp

memory/468-186-0x0000000005BF0000-0x0000000005C04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3bd1cea506b53dcbf5058b4c67e1069
SHA1 6af2fd00afe1d3ffc84b2d9fd86ce451a378cdbc
SHA256 6937687ca6b6ca9637971c2319d49acd0a8464a62795912a8c2a6e0014d77484
SHA512 3076ea7cb0e7bd08190762e006c8ee3d60f5e55f957174416ab2e944f2ab19a8e7b6a84b8352aa5e89d23e930880b3250655a8488c13941cb6833808cb6f55b0

memory/2196-198-0x000000006FE80000-0x000000006FECC000-memory.dmp

memory/2196-199-0x0000000070610000-0x0000000070964000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3648-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3648-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 09:48

Reported

2024-05-16 09:50

Platform

win11-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\system32\cmd.exe
PID 4456 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1108 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4456 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 4456 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 4456 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe C:\Windows\rss\csrss.exe
PID 476 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 476 wrote to memory of 1932 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 476 wrote to memory of 1932 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe

"C:\Users\Admin\AppData\Local\Temp\ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 22ab6373-6b34-430c-9603-dd1a99ab9bf2.uuid.allstatsin.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.allstatsin.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
BG 185.82.216.104:443 server8.allstatsin.ru tcp
N/A 127.0.0.1:31464 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
FI 135.181.215.237:50001 electrum.emzy.de tcp
SE 45.154.252.99:50001 e2.keff.org tcp
SE 45.154.252.100:50001 e.keff.org tcp
GB 198.244.201.86:50001 bitcoin.lu.ke tcp
BR 52.67.225.163:50001 eai.coincited.net tcp
PL 34.118.1.54:50001 tcp
US 5.78.65.104:50002 tcp

Files

memory/2728-1-0x0000000002A90000-0x0000000002E89000-memory.dmp

memory/2728-2-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/2728-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4084-4-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/4084-5-0x0000000005040000-0x0000000005076000-memory.dmp

memory/4084-6-0x0000000073F20000-0x00000000746D1000-memory.dmp

memory/4084-7-0x0000000005800000-0x0000000005E2A000-memory.dmp

memory/4084-8-0x0000000073F20000-0x00000000746D1000-memory.dmp

memory/4084-9-0x0000000005E60000-0x0000000005E82000-memory.dmp

memory/4084-10-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/4084-11-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zj0o5ee.c3v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4084-20-0x0000000005FE0000-0x0000000006337000-memory.dmp

memory/4084-21-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/4084-22-0x00000000069F0000-0x0000000006A3C000-memory.dmp

memory/4084-23-0x0000000006A80000-0x0000000006AC6000-memory.dmp

memory/4084-24-0x00000000078E0000-0x0000000007914000-memory.dmp

memory/4084-35-0x0000000007940000-0x000000000795E000-memory.dmp

memory/4084-36-0x0000000007960000-0x0000000007A04000-memory.dmp

memory/4084-26-0x0000000070310000-0x0000000070667000-memory.dmp

memory/4084-37-0x0000000073F20000-0x00000000746D1000-memory.dmp

memory/4084-25-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/4084-39-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/4084-38-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/4084-40-0x0000000073F20000-0x00000000746D1000-memory.dmp

memory/4084-41-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

memory/4084-42-0x0000000007BE0000-0x0000000007C76000-memory.dmp

memory/4084-43-0x0000000007AF0000-0x0000000007B01000-memory.dmp

memory/4084-44-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/4084-45-0x0000000007B50000-0x0000000007B65000-memory.dmp

memory/4084-46-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/4084-47-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

memory/4084-50-0x0000000073F20000-0x00000000746D1000-memory.dmp

memory/4456-52-0x0000000002A20000-0x0000000002E25000-memory.dmp

memory/1572-61-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/1572-62-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/1572-63-0x00000000703C0000-0x0000000070717000-memory.dmp

memory/1572-72-0x00000000075C0000-0x0000000007664000-memory.dmp

memory/1572-73-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/1572-74-0x0000000007940000-0x0000000007955000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2104-86-0x0000000005730000-0x0000000005A87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1321bb4ad65f54aedc6c3861cd12e556
SHA1 7966d6ca95b5c5d7519e16e6ce2bc90ce34104ea
SHA256 9633932f18afaf1fa695cee19c5eb32e5d3e778d58715aefc7643feb61438bcb
SHA512 15339b52873c7326fa053af5be494e10406c5317df9900150e725869dccc5460eb491e4f6333b45b36b236c2e6c4bc89abe2c1c50a99e193984fe7b1fb29f844

memory/2104-88-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/2104-89-0x00000000703A0000-0x00000000706F7000-memory.dmp

memory/2728-99-0x0000000002A90000-0x0000000002E89000-memory.dmp

memory/2728-98-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2728-100-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/4212-107-0x0000000006220000-0x0000000006577000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 595d84634876f215969d5b7dd7161e68
SHA1 295a03e3fdfd9627152423b6e3ab4e1da9926b27
SHA256 fa0a5449ed163f74bf0b64947156d6bbf8ff6c8efbb993a45123585d7c366a8e
SHA512 87f9aabf9fc1fdbcea1e3eb7bdaefa33e3f8ee86ada7f83f1bac5214173557808299f8846832055d27ad6bbf94f9fa3b07128e7ee566b68e2da240d7c2e3e9fb

memory/4212-112-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/4212-113-0x00000000703E0000-0x0000000070737000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a3c419f3f21ea2b1f953b6afffa93ab3
SHA1 fc3d57e90e505d0ea5a1194bc0d244eac6924505
SHA256 ec71d99d67a0c77b556c316b7847f3f4b5e89bb7e5b8292bd23d6e2dadc60aef
SHA512 ad6f26ce3277538232654956ebe8a07148ff4e817719c123245d107abeb94833cdd21e30602decd70bf6c8806a0a4cb8b6158ff681363dd1e9682b6a026036ac

memory/4456-127-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 89f45b04b175da47c3818a204441923e
SHA1 abf86afdcb9078d690e6a06f1caa9c8e45cfc7c1
SHA256 0d44dbc40b2dd74e51c4d27f2ed5f8ee41e3cb0535111570294383c3519f55c7
SHA512 a3ab064e4c648211efc0872b0dca62775108cf369b4fe873e973497cb41adc2791ccc37de373f3d908c199c69563c2b56af148f6a8b9a61e3bdd88802e1625ad

memory/3348-138-0x0000000070190000-0x00000000701DC000-memory.dmp

memory/3348-139-0x0000000070310000-0x0000000070667000-memory.dmp

memory/1064-158-0x0000000005940000-0x0000000005C97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fbcf625d8d2ef66696b9ba8815c13726
SHA1 6da9b33388b703103a620f84a7e565302fe41cb8
SHA256 391a97f33642a4d9f70d5f384e0aeb9aff175b65f631304b0e0db3a287275926
SHA512 01d973e4c466002a97ae366ffaa8b13855f1dde8c7a17fb812c960c24d9dfd5c05d138c33f110f63f3a9c2426292988d757fc186fa608e4dcdf594654a4b3b90

memory/1064-160-0x0000000006430000-0x000000000647C000-memory.dmp

memory/1064-161-0x00000000700B0000-0x00000000700FC000-memory.dmp

memory/1064-162-0x00000000702C0000-0x0000000070617000-memory.dmp

memory/1064-171-0x0000000007160000-0x0000000007204000-memory.dmp

memory/1064-172-0x0000000007310000-0x0000000007321000-memory.dmp

memory/1064-173-0x0000000005CD0000-0x0000000005CE5000-memory.dmp

memory/1740-175-0x0000000006310000-0x0000000006667000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c066338eb89297c30bc644627066ddd8
SHA1 8b8112ee491bc0d8dd5350a090fa1d8e40ab43ba
SHA256 a6d270847422f2b7db6d9c863658b4048788fa843d3aa9c4b792c98759be34ab
SHA512 3a8cb4596f1a9813f9ebf259b3231c8d688a495d6424e3743dffd539a139972cd3e8cfc9a944bab4cc08a09e6bd22d50acd3ddbfbf6798a402f252de1ff72055

memory/1740-185-0x00000000700B0000-0x00000000700FC000-memory.dmp

memory/1740-186-0x0000000070300000-0x0000000070657000-memory.dmp

memory/476-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/476-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/476-225-0x0000000000400000-0x0000000000D1C000-memory.dmp