Malware Analysis Report

2025-01-02 06:26

Sample ID 240516-ssw6waag9y
Target b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd
SHA256 b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd

Threat Level: Known bad

The file b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 15:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3756 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3756 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\system32\cmd.exe
PID 1412 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1412 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 1412 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 1412 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 2544 wrote to memory of 4564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4056 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 3872 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2544 wrote to memory of 4392 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 c7c8e635-e6ef-4b87-a180-04dc2eb142d6.uuid.allstatsin.ru udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.allstatsin.ru udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3756-1-0x0000000002920000-0x0000000002D1D000-memory.dmp

memory/3756-2-0x0000000002D20000-0x000000000360B000-memory.dmp

memory/3756-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1932-4-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/1932-5-0x00000000031F0000-0x0000000003226000-memory.dmp

memory/1932-7-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1932-6-0x0000000005A80000-0x00000000060A8000-memory.dmp

memory/1932-8-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1932-9-0x0000000005930000-0x0000000005952000-memory.dmp

memory/1932-10-0x0000000006120000-0x0000000006186000-memory.dmp

memory/1932-11-0x0000000006190000-0x00000000061F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ba0reabj.v4d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1932-21-0x0000000006300000-0x0000000006654000-memory.dmp

memory/1932-22-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/1932-23-0x0000000006840000-0x000000000688C000-memory.dmp

memory/1932-24-0x0000000006D50000-0x0000000006D94000-memory.dmp

memory/1932-25-0x0000000007B10000-0x0000000007B86000-memory.dmp

memory/1932-26-0x0000000008210000-0x000000000888A000-memory.dmp

memory/1932-27-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/1932-28-0x0000000007D70000-0x0000000007DA2000-memory.dmp

memory/1932-29-0x00000000708B0000-0x00000000708FC000-memory.dmp

memory/1932-30-0x0000000070A30000-0x0000000070D84000-memory.dmp

memory/1932-40-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1932-41-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

memory/1932-42-0x0000000007DD0000-0x0000000007E73000-memory.dmp

memory/1932-43-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1932-44-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

memory/1932-45-0x0000000007F80000-0x0000000008016000-memory.dmp

memory/1932-46-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/1932-47-0x0000000007F20000-0x0000000007F2E000-memory.dmp

memory/1932-48-0x0000000007F30000-0x0000000007F44000-memory.dmp

memory/1932-49-0x0000000008020000-0x000000000803A000-memory.dmp

memory/1932-50-0x0000000007F70000-0x0000000007F78000-memory.dmp

memory/1932-53-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1412-55-0x0000000002960000-0x0000000002D61000-memory.dmp

memory/3756-56-0x0000000002920000-0x0000000002D1D000-memory.dmp

memory/4676-57-0x0000000005BB0000-0x0000000005F04000-memory.dmp

memory/4676-67-0x00000000708B0000-0x00000000708FC000-memory.dmp

memory/4676-68-0x0000000071030000-0x0000000071384000-memory.dmp

memory/4676-78-0x00000000073D0000-0x0000000007473000-memory.dmp

memory/4676-79-0x0000000007710000-0x0000000007721000-memory.dmp

memory/4676-80-0x0000000007760000-0x0000000007774000-memory.dmp

memory/3756-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3756-84-0x0000000002D20000-0x000000000360B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ae5cca18d1fce8c6b14b0f33f3bbb37
SHA1 c870b41d13a132d22aed474485a0e78472eeac22
SHA256 3b04ca68faacef94ac0e3607e74025a4fb24554617c42ceb26205aa82e44ae8f
SHA512 e5a32a6d3c291502aa6be9b88e7a0c2c2e452864d2054ef1cd2c9cd8650815ff3318442c0d36dcfeece37aec88dc5a0a562ab91b3d4bbb0a7c585cac219526ab

memory/2892-96-0x00000000708B0000-0x00000000708FC000-memory.dmp

memory/2892-97-0x0000000070A30000-0x0000000070D84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 441918235c66bff282d82ecb9a3b8464
SHA1 2922e9932df463182434fa909ac9661b5aafb38d
SHA256 564f33e365546736add5db5a1df64b745e77bd45a45ba580215ff03a01b304d7
SHA512 0c2b19acd550d4087ffa87cb513bd6d48b3dbbfb750cd6c37b8b70e5df16d8559a3485a5f234e66733c4c25401029a1f12b8a18b0a4e329893d2422aa408a229

memory/2268-118-0x00000000708B0000-0x00000000708FC000-memory.dmp

memory/2268-119-0x0000000071030000-0x0000000071384000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3aafa11f14ab92b3d3e98784f1adbbc1
SHA1 c1015ea32b75c59f6323c46055d3ef0bbaa80f85
SHA256 b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd
SHA512 13a886db858101fb79fcfacc00b6ce449607b5906ab63d369e5508710d52e6e52f259a825d7a32f47af52834c3df4adde0b02b965f73e22b5ec90621f1ea947d

memory/1412-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9f8ef268b124e57f7ba4107deb55c3e2
SHA1 c7cd0e296361f4da1ec71418e2222a0d9e665cef
SHA256 e219a673e5cec432bb6ba00bf91475968ae5f6755cac53fe3538572eb07aada5
SHA512 b8d9fdc69fa6edea1ee09ae84da6fe1e2211a0ef5d8623abb0cb9a050434409302695b7df4a6ebfc83d653484307b24ebbc1d6c33ad06a578ddb7d65df1c4834

memory/4564-146-0x00000000708B0000-0x00000000708FC000-memory.dmp

memory/4564-147-0x0000000070A30000-0x0000000070D84000-memory.dmp

memory/4056-165-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06fd232c1c858ff447e67a87180c060d
SHA1 0e61f4caf56697d2677d6f4079d3cee94bf6c889
SHA256 330233e91f244afa44ca0fc7c0072ed7c46199f8d7d43d5153440c22a1f67991
SHA512 7845c96deb89e8a6339697e216972bc26c093c5d23d998f5180ccfcdb41088a570a0c580af191dde3607a071d9809f072dc6d1845191e5317cd4869e422ab0bd

memory/4056-170-0x0000000006AC0000-0x0000000006B0C000-memory.dmp

memory/4056-172-0x0000000070970000-0x0000000070CC4000-memory.dmp

memory/4056-171-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/4056-182-0x00000000079C0000-0x0000000007A63000-memory.dmp

memory/4056-183-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/4056-184-0x0000000006510000-0x0000000006524000-memory.dmp

memory/3872-192-0x00000000056B0000-0x0000000005A04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a78f7bc2ca086d991757d32cdeba9cf6
SHA1 df57354217c0f28311284cff1515e5095c68134c
SHA256 f3ef055e5e476d7d24ee8c216abdcf8efd496e685d63456e5205de1b8df1957c
SHA512 c76e83855f791b9915878efe9b6ff6e37576732d723580b83fae2c38138046c34df99458f2a2760e8845c0866d3229c795832114ccab84267453e2178626db59

memory/3872-198-0x0000000070EE0000-0x0000000071234000-memory.dmp

memory/3872-197-0x00000000707D0000-0x000000007081C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2544-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-224-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2544-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 15:23

Reported

2024-05-16 15:26

Platform

win11-20240426-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1436 wrote to memory of 3308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1980 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 1980 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 1980 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe C:\Windows\rss\csrss.exe
PID 3612 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4708 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 3356 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 4624 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3612 wrote to memory of 1704 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3612 wrote to memory of 1704 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe

"C:\Users\Admin\AppData\Local\Temp\b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 9d5bbdd0-e263-4f23-ac7d-605e92e87c98.uuid.allstatsin.ru udp
US 8.8.8.8:53 server6.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
BG 185.82.216.104:443 server6.allstatsin.ru tcp

Files

memory/2976-1-0x0000000002A50000-0x0000000002E56000-memory.dmp

memory/2976-2-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/2976-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4012-4-0x000000007452E000-0x000000007452F000-memory.dmp

memory/4012-5-0x00000000027F0000-0x0000000002826000-memory.dmp

memory/4012-6-0x0000000005070000-0x000000000569A000-memory.dmp

memory/4012-7-0x0000000074520000-0x0000000074CD1000-memory.dmp

memory/4012-8-0x0000000074520000-0x0000000074CD1000-memory.dmp

memory/4012-9-0x0000000004F10000-0x0000000004F32000-memory.dmp

memory/4012-10-0x0000000005710000-0x0000000005776000-memory.dmp

memory/4012-11-0x0000000005780000-0x00000000057E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfn2aiyn.f25.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4012-20-0x00000000058E0000-0x0000000005C37000-memory.dmp

memory/4012-21-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

memory/4012-22-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/4012-23-0x0000000006240000-0x0000000006286000-memory.dmp

memory/4012-26-0x0000000070910000-0x0000000070C67000-memory.dmp

memory/4012-25-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/4012-24-0x00000000070D0000-0x0000000007104000-memory.dmp

memory/4012-37-0x0000000007150000-0x00000000071F4000-memory.dmp

memory/4012-36-0x0000000074520000-0x0000000074CD1000-memory.dmp

memory/4012-35-0x0000000007130000-0x000000000714E000-memory.dmp

memory/4012-38-0x0000000074520000-0x0000000074CD1000-memory.dmp

memory/4012-40-0x0000000007280000-0x000000000729A000-memory.dmp

memory/4012-39-0x00000000078C0000-0x0000000007F3A000-memory.dmp

memory/4012-41-0x00000000072C0000-0x00000000072CA000-memory.dmp

memory/4012-42-0x00000000073D0000-0x0000000007466000-memory.dmp

memory/4012-43-0x00000000072E0000-0x00000000072F1000-memory.dmp

memory/4012-44-0x0000000007330000-0x000000000733E000-memory.dmp

memory/4012-45-0x0000000007340000-0x0000000007355000-memory.dmp

memory/4012-46-0x0000000007390000-0x00000000073AA000-memory.dmp

memory/4012-47-0x00000000073B0000-0x00000000073B8000-memory.dmp

memory/4012-50-0x0000000074520000-0x0000000074CD1000-memory.dmp

memory/1980-52-0x0000000002A40000-0x0000000002E3E000-memory.dmp

memory/3768-61-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/3768-62-0x0000000070910000-0x0000000070C67000-memory.dmp

memory/3768-71-0x0000000006DF0000-0x0000000006E94000-memory.dmp

memory/3768-72-0x0000000007150000-0x0000000007161000-memory.dmp

memory/3768-73-0x00000000071A0000-0x00000000071B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1501febe01a0f2549de7e07b76eaf6bc
SHA1 7d4b755bb00b79c6ab3fc0b57aceb3396264b799
SHA256 048ba7f985cd76530d069a0b9b115eb3a1086a2dc3f0a3be581a620bb4ffed4b
SHA512 a15d369b0da33547e96c4dcd3f8356f485dfbdde724d35bb5213077c3695edddcbee92b5634fedcf94aec52c7722286b15f3a484ed5a83dc202cd1e9b5b0f295

memory/2976-87-0x0000000002A50000-0x0000000002E56000-memory.dmp

memory/2976-86-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2976-88-0x0000000002E60000-0x000000000374B000-memory.dmp

memory/1324-89-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/1324-90-0x0000000070910000-0x0000000070C67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 89493c68fa55892dfa14c39eeaa2a7e9
SHA1 42339b53d48604e53918be08b342e59814c56b09
SHA256 6ce2914315c3886fdec941b62535c9dacc6f29a7f849320f04905b0360fe5ddb
SHA512 a15df474e397c90fe55e7df31600a596da55c35aa4fc054a900ac2e519cef8e02eaf8d775409bd5b0236cebd5875a027dc93c4ff24635675bb722060e138a771

memory/2520-109-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/2520-110-0x0000000070910000-0x0000000070C67000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 3aafa11f14ab92b3d3e98784f1adbbc1
SHA1 c1015ea32b75c59f6323c46055d3ef0bbaa80f85
SHA256 b5f6532c96e8d4c5a44d9d2b5f6517704dc2e466bfe374483c43d7dc13f670bd
SHA512 13a886db858101fb79fcfacc00b6ce449607b5906ab63d369e5508710d52e6e52f259a825d7a32f47af52834c3df4adde0b02b965f73e22b5ec90621f1ea947d

memory/1980-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 46501c2c8e284869707aafcf09b7d371
SHA1 f1c9733def16d99a1b68b791be0f70e84c8c91be
SHA256 df5b7baac8c9800bb1f1a64829e0d2a89a17a38471c594e8d45aea4820972e93
SHA512 4a2ae56c57011e00325335d23a9fe981733e11e35290125b72cda31858ced52e5109049436d2f8b3cd7bd5a735b72c4918193c9f986881442624f8960a119451

memory/4708-135-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/4708-136-0x0000000070910000-0x0000000070C67000-memory.dmp

memory/3356-154-0x0000000006190000-0x00000000064E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4b6fd6885fd2d6d40bcb4834853c813
SHA1 4d16633697bb2afda1bf556e3c94a8f1f6589b64
SHA256 90512d26553d02588d5e8cdb7fc37d0cb9c050618f68c3ca3b0753065ac78717
SHA512 62b9c59f6bc523c5783f0faf7a01136576b645a63e40324e63398b6a3ef6fa42e68e6bf14f81b45f7449d565a25d9b0523a63c948f1eedd712b813c06fbeb6da

memory/3356-156-0x0000000006B70000-0x0000000006BBC000-memory.dmp

memory/3356-157-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/3356-158-0x0000000070830000-0x0000000070B87000-memory.dmp

memory/3356-167-0x00000000078C0000-0x0000000007964000-memory.dmp

memory/3356-168-0x0000000007C00000-0x0000000007C11000-memory.dmp

memory/3356-169-0x00000000060D0000-0x00000000060E5000-memory.dmp

memory/4624-179-0x0000000005C90000-0x0000000005FE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b7f3c3f0e067c4b71730d940e1a6880f
SHA1 07bdd0ff997e8bde0720e47b0ac275eaf897e327
SHA256 b93affaa83d0dc2ccb5e7f047459e6cf02dc78aaa0ea7e0056711eaa540f3faa
SHA512 72d2deb1b6204dd27cf757e9446c9f3f0fc26013b3edfc8041b127a786d3ee7d5ede209863a799794976ab30193eb353133c4af24d6fcb0e48b50fd5e0dc8c18

memory/4624-181-0x00000000706B0000-0x00000000706FC000-memory.dmp

memory/4624-182-0x0000000070850000-0x0000000070BA7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3612-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3612-222-0x0000000000400000-0x0000000000D1C000-memory.dmp