Malware Analysis Report

2024-12-08 02:17

Sample ID 240516-pwmj3ade72
Target b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca
SHA256 b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca
Tags
glupteba discovery dropper evasion execution loader persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca

Threat Level: Known bad

The file b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 12:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:43

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 512 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 512 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\system32\cmd.exe
PID 1132 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1132 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4068 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 4068 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 4068 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 3508 wrote to memory of 1336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3508 wrote to memory of 404 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 717c3713-cd4d-4494-8809-7153573140d2.uuid.allstatsin.ru udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server4.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server4.allstatsin.ru tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server4.allstatsin.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BG 185.82.216.104:443 server4.allstatsin.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
N/A 127.0.0.1:31464 tcp
US 8.8.8.8:53 blockchain.info udp
US 104.16.237.243:443 blockchain.info tcp
US 8.8.8.8:53 243.237.16.104.in-addr.arpa udp

Files

memory/512-1-0x0000000002960000-0x0000000002D5C000-memory.dmp

memory/512-2-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4296-4-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

memory/4296-5-0x0000000002ED0000-0x0000000002F06000-memory.dmp

memory/4296-6-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4296-7-0x0000000005590000-0x0000000005BB8000-memory.dmp

memory/4296-8-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4296-9-0x0000000005520000-0x0000000005542000-memory.dmp

memory/4296-11-0x0000000005E10000-0x0000000005E76000-memory.dmp

memory/4296-10-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4se3i0r.pm2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4296-17-0x0000000005E80000-0x00000000061D4000-memory.dmp

memory/4296-22-0x0000000006480000-0x000000000649E000-memory.dmp

memory/4296-23-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/4296-24-0x00000000069E0000-0x0000000006A24000-memory.dmp

memory/4296-25-0x00000000075A0000-0x0000000007616000-memory.dmp

memory/4296-26-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/4296-27-0x0000000007850000-0x000000000786A000-memory.dmp

memory/4296-29-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/4296-30-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4296-28-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/4296-31-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/4296-41-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/4296-42-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4296-43-0x0000000007A40000-0x0000000007AE3000-memory.dmp

memory/4296-44-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4296-45-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4296-46-0x0000000007C00000-0x0000000007C96000-memory.dmp

memory/4296-47-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/4296-48-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

memory/4296-49-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

memory/4296-50-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/4296-51-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

memory/4296-54-0x0000000074BC0000-0x0000000075370000-memory.dmp

memory/4068-56-0x0000000002940000-0x0000000002D48000-memory.dmp

memory/3036-66-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3036-67-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/3036-77-0x0000000007630000-0x00000000076D3000-memory.dmp

memory/3036-78-0x0000000007940000-0x0000000007951000-memory.dmp

memory/512-79-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/512-80-0x0000000002960000-0x0000000002D5C000-memory.dmp

memory/512-81-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/3036-82-0x0000000007990000-0x00000000079A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3144-95-0x0000000005550000-0x00000000058A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0672b363c33deb6a7838668f11d6d08d
SHA1 6e06feee9447ab0c47fbac0f6fc2d04ced67104f
SHA256 ec9946c332cca3c4c0731db05ef3c0063527f7b68f3c810afc4011e539aaebca
SHA512 16ee9a545ec4a48bd0f918da6a00220289a35b965c79cf1c272772923ccb47a0dc5ba8d6f32a5775cfed8c595d26710d1c731f266b0d2c062bb8322424174053

memory/3144-97-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/3144-98-0x0000000070BE0000-0x0000000070F34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d99f397ed11579526896f62e22f072ff
SHA1 68ad2ecc17736b682cab5690aa2d591b9934a690
SHA256 8ce55ea2a299ad4dd6245665c81b6ceb2a6cf82acf13d413a56649d521a1aa98
SHA512 1f042bf7ff607f69d5b14afd768756415c04c206a511febdbb9e3b5d4d5e768bb8f0af03a3fe075c259fb88673ffb7407617068a621c83a21e938d7a20069271

memory/536-119-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/536-120-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/4068-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ff9e6711f26fb3c5be35d8777d0110c9
SHA1 ca853fa75d22fd6cd2aa329064376385722be45b
SHA256 b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca
SHA512 56724181be49358eceb408b4f6c5bc4c0ee2cb6887772668c9b4ed25c100fd6c38c7990777816ccb08efaf33896c7ff65e2f208a5d8d869164653f4935488f09

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 887c6d824fbcacf6a2e5ecf388fc3bc8
SHA1 d8c1c3e5f5fe6644181935df9196e1607859d034
SHA256 1c3095841552d5523628b887f4c16cb455db1a84407b9cb24b9a1ac179731d26
SHA512 e636ffa19ee5a8b856c13bd74a6756ca68c7549dadf96c501552b76b44e89656609eaea5fddd3eca7b0f3e0a1c412d5692f83f81123b96876fe1746be0819add

memory/1336-148-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/1336-149-0x0000000070BE0000-0x0000000070F34000-memory.dmp

memory/3032-169-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66bdcf05ad1dd568608bc40538dde9eb
SHA1 ff0afe6f46f489e73be10f93dc8145664ec0435e
SHA256 e268c3b5e040bb6c143df0f0e75a296bc1ca80a8a2efb39a4cd95729bb7a555e
SHA512 a2ce80d606523fb19d78c9ae0206ea35b999bf94ab1cf4f3d1be2782f02df376d3b451f1092e7ea7bc086a2d7256912ff7ed0e7de20e343f1821d869a06aff4b

memory/3032-171-0x0000000006250000-0x000000000629C000-memory.dmp

memory/3032-172-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/3032-173-0x0000000070B00000-0x0000000070E54000-memory.dmp

memory/3032-183-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/3032-184-0x0000000007260000-0x0000000007271000-memory.dmp

memory/3032-185-0x0000000005AE0000-0x0000000005AF4000-memory.dmp

memory/3960-187-0x0000000005FF0000-0x0000000006344000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d5baa67c71385faac242a73e3b4d299
SHA1 066e11fbfc11a1716d79303a792f3a1b00c3eaef
SHA256 45192f0fb61326404f17719952e33d9b9daa948ea731758aa6fb124f34497cd0
SHA512 f86d85674110e4625588340db24e5f9c3ec34c8c96c897e751c9bfd12c82b13ee7f7fbccedfa59de8efff930497b731f3eb68a35ec2245be5efe42e860735f40

memory/3960-198-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/3960-199-0x0000000071110000-0x0000000071464000-memory.dmp

memory/4068-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4068-218-0x0000000002940000-0x0000000002D48000-memory.dmp

memory/3508-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3508-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 12:40

Reported

2024-05-16 12:43

Platform

win11-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1896 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2860 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 2860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe C:\Windows\rss\csrss.exe
PID 1688 wrote to memory of 2348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 2592 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4560 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1688 wrote to memory of 4760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe

"C:\Users\Admin\AppData\Local\Temp\b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 321c1af4-21e8-4aea-9c11-eff308793451.uuid.allstatsin.ru udp
US 8.8.8.8:53 server10.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
US 52.111.227.14:443 tcp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
N/A 127.0.0.1:31464 tcp
US 35.201.74.156:443 blockstream.info tcp

Files

memory/4952-1-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4952-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3344-4-0x000000007411E000-0x000000007411F000-memory.dmp

memory/3344-5-0x00000000029D0000-0x0000000002A06000-memory.dmp

memory/3344-6-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/3344-7-0x0000000005100000-0x000000000572A000-memory.dmp

memory/3344-8-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/3344-9-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/3344-10-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/3344-11-0x0000000005950000-0x00000000059B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44posp2y.tdg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3344-20-0x00000000059C0000-0x0000000005D17000-memory.dmp

memory/3344-21-0x0000000005E90000-0x0000000005EAE000-memory.dmp

memory/3344-22-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

memory/3344-23-0x0000000006400000-0x0000000006446000-memory.dmp

memory/3344-24-0x00000000072B0000-0x00000000072E4000-memory.dmp

memory/3344-25-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/3344-26-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/3344-27-0x0000000070510000-0x0000000070867000-memory.dmp

memory/3344-36-0x00000000072F0000-0x000000000730E000-memory.dmp

memory/3344-37-0x0000000007310000-0x00000000073B4000-memory.dmp

memory/3344-38-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/3344-39-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/3344-40-0x0000000007440000-0x000000000745A000-memory.dmp

memory/3344-41-0x0000000007480000-0x000000000748A000-memory.dmp

memory/3344-42-0x0000000007590000-0x0000000007626000-memory.dmp

memory/3344-43-0x00000000074A0000-0x00000000074B1000-memory.dmp

memory/3344-44-0x00000000074F0000-0x00000000074FE000-memory.dmp

memory/3344-45-0x0000000007500000-0x0000000007515000-memory.dmp

memory/3344-46-0x0000000007550000-0x000000000756A000-memory.dmp

memory/3344-47-0x0000000007540000-0x0000000007548000-memory.dmp

memory/3344-50-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/4952-52-0x0000000002A20000-0x0000000002E1A000-memory.dmp

memory/4952-53-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2860-54-0x0000000002AE0000-0x0000000002EDA000-memory.dmp

memory/4508-55-0x0000000006180000-0x00000000064D7000-memory.dmp

memory/4508-64-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/4508-65-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/4508-74-0x0000000007870000-0x0000000007914000-memory.dmp

memory/4952-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4508-76-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

memory/4508-77-0x0000000007C10000-0x0000000007C25000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c846be4c7de5d39e9e04f31f110c3b09
SHA1 ef758203288d098387bc0c0b31775ba0b275f010
SHA256 fbc9f8d386721c0f0f5368296e227f0cd94a1bd68f8c07d3c7fe5237149a9c8c
SHA512 32cd9fb726a044c78bbebc75c9af74bb9d44103a21b6ac2a374a6cda9dd7e8627ff85d3c83aa853040179c824f1222026e372b40b2be00e8e53205885d3e6ee1

memory/4824-90-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/4824-91-0x00000000705D0000-0x0000000070927000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9745c727f85f5a525558b5776059962c
SHA1 b34f67f56b5dcdf3ef15168527386616cc9f90c2
SHA256 8fbe355f1758797733613b30ae11c43e948fbef53436e0870a480338dfa53253
SHA512 25a9346d70786382686f85a5e123239a4158475c448e09f89a199f710193d177e94bf79d5e7ce68cb31ba8743caa6d55ae857b127a499623a0e991b66528acb7

memory/968-110-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/968-111-0x00000000705D0000-0x0000000070927000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ff9e6711f26fb3c5be35d8777d0110c9
SHA1 ca853fa75d22fd6cd2aa329064376385722be45b
SHA256 b723073d7e11b1525a8de0fe4c981070a9f2b1bb986e995352fe63a1b48a56ca
SHA512 56724181be49358eceb408b4f6c5bc4c0ee2cb6887772668c9b4ed25c100fd6c38c7990777816ccb08efaf33896c7ff65e2f208a5d8d869164653f4935488f09

memory/2860-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c775f4a0c63b6c8b7ccbc795953c42bb
SHA1 0d2adec00d022676f4f04970cf3cc9bc6cea3d7b
SHA256 74ff0f3dd116f921268bcb0025701167d3bbcaea22894625bf359cf71905fcc1
SHA512 56b33a41d794b0015da9ca6a9ca73acd5cecf33eb7276a2f840399c2929509c38daa636ed293a9d22cfe0b124658ea7d45e6d37426b25f9a19f1ce25e93c9eac

memory/2348-137-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/2348-138-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/2592-156-0x0000000005CF0000-0x0000000006047000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac9408fe7a115f32e0f77863a8c55868
SHA1 cfc24b132fd92fb40717ee06fd2c6beff1cf1aff
SHA256 f5e94853e4f1566d2af4388c02c61b10d82f327b10b4f34a82800e1eb836cb48
SHA512 963dba8d2e78ab3071689170cf419ba24ba4f7cbe451f0fb0b90dfc06138ce1cfb8129a1240efbb41ddbcb14237c50dd4ab5a2e7c23f0816d22eeb50f732c584

memory/2592-158-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/2592-159-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/2592-160-0x0000000070420000-0x0000000070777000-memory.dmp

memory/2592-169-0x00000000073B0000-0x0000000007454000-memory.dmp

memory/2592-170-0x0000000007700000-0x0000000007711000-memory.dmp

memory/2592-171-0x0000000005B70000-0x0000000005B85000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a5ae5e3107856894abd50138bdb7bca
SHA1 0a473f1d1ffa9cbcb73e5fe80ebd47f88bf2f852
SHA256 f6dbf176f9d0333ab79a144fd11a08768fb50f5a27abda5998f7e4bb07f698b0
SHA512 899f0a5efdbea2b55b20fb9526cb4f9381db31faa4135e77ab84cf262f38def3a56ccc2a10ba5025a98f13612c39b166e319f96fe74feb0e99eb701c90c4f135

memory/4560-182-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/4560-183-0x0000000070420000-0x0000000070777000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1688-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1688-221-0x0000000000400000-0x0000000000D1C000-memory.dmp