Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-ls5ppacd2v
Target 0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809
SHA256 0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809

Threat Level: Known bad

The file 0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:48

Reported

2024-05-17 09:51

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\system32\cmd.exe
PID 776 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 776 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 1244 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 3148 wrote to memory of 1316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1316 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 5040 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3920 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3148 wrote to memory of 4420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2144 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2248 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2248 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2248 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 99e5a5d4-3f03-48b2-9551-8ee36d7a0fe6.uuid.alldatadump.org udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server5.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server5.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server5.alldatadump.org tcp
BG 185.82.216.108:443 server5.alldatadump.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server5.alldatadump.org tcp

Files

memory/3200-1-0x0000000004990000-0x0000000004D97000-memory.dmp

memory/3200-2-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/3200-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-4-0x000000007456E000-0x000000007456F000-memory.dmp

memory/852-5-0x00000000032D0000-0x0000000003306000-memory.dmp

memory/852-7-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/852-6-0x0000000005BB0000-0x00000000061D8000-memory.dmp

memory/852-8-0x0000000005AF0000-0x0000000005B12000-memory.dmp

memory/852-15-0x00000000062C0000-0x0000000006326000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dnmvxng.z3c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/852-10-0x0000000006250000-0x00000000062B6000-memory.dmp

memory/852-21-0x0000000006430000-0x0000000006784000-memory.dmp

memory/852-20-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/852-22-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/852-23-0x0000000006900000-0x000000000694C000-memory.dmp

memory/852-24-0x0000000006E00000-0x0000000006E44000-memory.dmp

memory/852-25-0x0000000007C00000-0x0000000007C76000-memory.dmp

memory/852-26-0x0000000008300000-0x000000000897A000-memory.dmp

memory/852-27-0x0000000007C80000-0x0000000007C9A000-memory.dmp

memory/852-30-0x0000000070580000-0x00000000708D4000-memory.dmp

memory/852-29-0x0000000070400000-0x000000007044C000-memory.dmp

memory/852-41-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/852-40-0x0000000007E80000-0x0000000007E9E000-memory.dmp

memory/852-28-0x0000000007E40000-0x0000000007E72000-memory.dmp

memory/852-43-0x0000000007EA0000-0x0000000007F43000-memory.dmp

memory/852-42-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/852-44-0x0000000007F90000-0x0000000007F9A000-memory.dmp

memory/852-45-0x0000000008050000-0x00000000080E6000-memory.dmp

memory/852-46-0x0000000007FB0000-0x0000000007FC1000-memory.dmp

memory/852-47-0x0000000007FF0000-0x0000000007FFE000-memory.dmp

memory/852-48-0x0000000008000000-0x0000000008014000-memory.dmp

memory/852-49-0x00000000080F0000-0x000000000810A000-memory.dmp

memory/852-50-0x0000000008040000-0x0000000008048000-memory.dmp

memory/852-53-0x0000000074560000-0x0000000074D10000-memory.dmp

memory/3200-56-0x0000000004DA0000-0x000000000568B000-memory.dmp

memory/3200-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3200-54-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2876-67-0x0000000006040000-0x0000000006394000-memory.dmp

memory/2876-68-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/1244-69-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2876-70-0x0000000070500000-0x000000007054C000-memory.dmp

memory/2876-71-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/2876-81-0x0000000007820000-0x00000000078C3000-memory.dmp

memory/2876-82-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/2876-83-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5fb6392e10495098b7a2fc822d1a3de
SHA1 c3c0a7b2a1041c214787f880a118bc5e744ea8b3
SHA256 da4ce4741a76e4cb44cbfa8accd2ba611a60ce86838b5394f4590950589cc809
SHA512 1a7d95b881762c992fd77683f72f92d161a661c07045c5990664807670735491db34e358d205c5376ca3d6f4f4603593013f08fa58ee25b6859b5beb24b20904

memory/2548-98-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/2548-97-0x0000000070500000-0x000000007054C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 be2ae8bc18cf83eaf0a4dbb84811f955
SHA1 905fc80801e8cc1b138dfbd19d46f4c90a7bbbd9
SHA256 5b2641b548e5a32e3b8d1c0f94150cdc0908028c9b44673c8c23b6795d53cede
SHA512 a84da3081678dfee13dcb247ec82ab49f4f0ebb7e371bdda42fa62472f86e40089ba5f3733ba142583daa65c3ea5111c3271dd57cccf9438f275dd51c972298d

memory/3948-119-0x0000000070500000-0x000000007054C000-memory.dmp

memory/3948-120-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa9d2edf579ca886a202919ac6ac79a7
SHA1 e2983a8432e43012de1f6790c28eae9e366718c5
SHA256 0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809
SHA512 0808c3f984cc20fc274fe00c6f5019ce75be1ff7d3c7d753754482c898a3b01ba663f577f407e7635fc1178cf9b50e2f231370ff967eaa2d3a7a772641a0356d

memory/1244-136-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1316-137-0x0000000005710000-0x0000000005A64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7984e871dec842bb3893f971cf184424
SHA1 9c7b05614466fafcb31c23c0d0b98eb9339000db
SHA256 bb1da699127a2c5257e5ba32bcdbc0ee8dc70f2ab4f246994ac3c107709d69eb
SHA512 b2a3b68d63a3a909d525cfaff817439f66823baaa3cb35a048282ed211bbe8c5ab7e21901c1be77bae15338699dc444f4b2c8eb1ecaf464a8be9d5b023eb4908

memory/1316-148-0x0000000006300000-0x000000000634C000-memory.dmp

memory/3148-150-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1316-151-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/1316-152-0x0000000070C00000-0x0000000070F54000-memory.dmp

memory/1316-162-0x0000000007010000-0x00000000070B3000-memory.dmp

memory/1316-163-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/1316-164-0x0000000005BE0000-0x0000000005BF4000-memory.dmp

memory/5040-172-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dac24c9a18fafb7e928357debda34135
SHA1 f4ae3e6599b2c75fc8ed0079afe42aac15cb7c32
SHA256 f548582c53bd0ee063fb5097037fce2dcd5a6abd2d07c6d17c754b801012ae49
SHA512 f72648eba3e53c40e3e9f878cfd5cd1ee5ec08deb5d75012fb32f6307c5c8fb08d803af4746e493315c7b0ba0e33d436ca8e85ae976ec8d09fc6d8c3417d5dcb

memory/5040-177-0x0000000006080000-0x00000000060CC000-memory.dmp

memory/5040-178-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/5040-179-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/5040-189-0x0000000006DE0000-0x0000000006E83000-memory.dmp

memory/5040-190-0x0000000005B70000-0x0000000005B81000-memory.dmp

memory/5040-191-0x0000000005BB0000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c5be3091f6bc324d663361d8f5bf2d9
SHA1 5796a2aa984dd6f49466bdecbb359dbdf74393f5
SHA256 9f0fa12b5fe49b3c6093c74159126e9581c01c04b511e348654c7f5bfea462da
SHA512 24e193c7fb09158e112a28460bbf30ebb613d8bcaad5332424e17ebf2cde79c24e629848e6da4861e8471eb3d226c0260d718b922b01ca0b76e21034a9c5431b

memory/3920-203-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/3920-204-0x0000000070B20000-0x0000000070E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3148-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2144-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3148-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1036-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2144-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3148-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1036-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3148-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3148-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1036-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3148-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3148-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3148-249-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3148-252-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:48

Reported

2024-05-17 09:51

Platform

win11-20240426-en

Max time kernel

41s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\system32\cmd.exe
PID 220 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2848 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 220 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 220 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 220 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 220 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe C:\Windows\rss\csrss.exe
PID 4036 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 1204 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4036 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe

"C:\Users\Admin\AppData\Local\Temp\0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3061d13b-b13e-4661-aa82-f98cfcac926f.uuid.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.alldatadump.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server10.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server10.alldatadump.org tcp
BG 185.82.216.108:443 server10.alldatadump.org tcp

Files

memory/788-1-0x0000000004850000-0x0000000004C4B000-memory.dmp

memory/788-2-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/788-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2464-4-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

memory/2464-5-0x0000000002C50000-0x0000000002C86000-memory.dmp

memory/2464-7-0x0000000005350000-0x000000000597A000-memory.dmp

memory/2464-6-0x0000000074B40000-0x00000000752F1000-memory.dmp

memory/2464-8-0x0000000005150000-0x0000000005172000-memory.dmp

memory/2464-9-0x0000000074B40000-0x00000000752F1000-memory.dmp

memory/2464-11-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/2464-10-0x0000000005980000-0x00000000059E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3oylau4i.yar.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2464-20-0x0000000005C10000-0x0000000005F67000-memory.dmp

memory/2464-21-0x0000000006120000-0x000000000613E000-memory.dmp

memory/2464-22-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/2464-23-0x0000000006650000-0x0000000006696000-memory.dmp

memory/2464-24-0x0000000007550000-0x0000000007584000-memory.dmp

memory/2464-25-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/2464-27-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/2464-26-0x0000000074B40000-0x00000000752F1000-memory.dmp

memory/2464-37-0x00000000075B0000-0x0000000007654000-memory.dmp

memory/2464-36-0x0000000007590000-0x00000000075AE000-memory.dmp

memory/2464-38-0x0000000074B40000-0x00000000752F1000-memory.dmp

memory/2464-39-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/2464-40-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/2464-41-0x0000000007720000-0x000000000772A000-memory.dmp

memory/2464-42-0x0000000007830000-0x00000000078C6000-memory.dmp

memory/2464-43-0x0000000007740000-0x0000000007751000-memory.dmp

memory/2464-44-0x0000000007790000-0x000000000779E000-memory.dmp

memory/2464-45-0x00000000077A0000-0x00000000077B5000-memory.dmp

memory/2464-46-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/2464-47-0x0000000007810000-0x0000000007818000-memory.dmp

memory/2464-50-0x0000000074B40000-0x00000000752F1000-memory.dmp

memory/788-51-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/788-53-0x0000000004850000-0x0000000004C4B000-memory.dmp

memory/788-54-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/2120-63-0x0000000005F20000-0x0000000006277000-memory.dmp

memory/2120-64-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/2120-65-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/2120-74-0x0000000007560000-0x0000000007604000-memory.dmp

memory/2120-75-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/2120-76-0x00000000078E0000-0x00000000078F5000-memory.dmp

memory/788-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6c30e32d990eb38b135ce5df295b9c63
SHA1 314cded2d528be1bc1ff2acf3654c8cd9e7ded9d
SHA256 91d29afdf1e4d1cb566e7251bb648bfb314af9c743f52d8b9f67fcc960e82a6d
SHA512 8186bc4776e27d4514c90ebb4f7b4340e33339a8b07b619c0ff3b6bc9ab6c40664efb0621ef565860a5ff99b81c68ff5c45cef6ddadabf81476d2da40dba735a

memory/4048-91-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/4048-92-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/220-101-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4764-111-0x0000000005720000-0x0000000005A77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9e977040688463e6d35e2964b1abd2ae
SHA1 744fe2bd01c804ee093fa0afa53dd4eee2ce8b42
SHA256 11e0da6913072219f0dc06f6d73ce0188198712ed9e4448460997039a0fe5211
SHA512 d5b2c8cb8ed1e22f08a206c37d6c9fc406c247fbe70112eddde09d06745d0a45ad4a18ebb77de2b48063809df514149fe6bbf2899d4817b2c89367bdfafce22a

memory/4764-113-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/4764-114-0x0000000071000000-0x0000000071357000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 aa9d2edf579ca886a202919ac6ac79a7
SHA1 e2983a8432e43012de1f6790c28eae9e366718c5
SHA256 0adcfe6b65204a5a44f87d157ab8be8aab0021faffbdf79967b1b35fc1580809
SHA512 0808c3f984cc20fc274fe00c6f5019ce75be1ff7d3c7d753754482c898a3b01ba663f577f407e7635fc1178cf9b50e2f231370ff967eaa2d3a7a772641a0356d

memory/220-130-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2724-131-0x0000000006130000-0x0000000006487000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab05cffb34ee8841ca4baac031346ba8
SHA1 e876e09a3cfded9c2ef4efe5103c49c9b36f89b6
SHA256 5a9d5b1a8c813eb7e9aa1ac4dabb4beaa1fe6285e419a1028fe29d9b2ca45687
SHA512 a9d1e20918c349ea0b06b14cc0c6eac55298f79eff635a3c0a5a5e5eaa856c41b3d5f8b17c4569f58cbbbc40683ec45a7d8654411e9178b728acc64a41ddf091

memory/2724-141-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/2724-142-0x0000000071020000-0x0000000071377000-memory.dmp

memory/4036-151-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1204-153-0x00000000055B0000-0x0000000005907000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb0d398f78eb7c83bcd464f9a8c3cc60
SHA1 d5cd8b57b70db5e03ec30856897a7cc7a588d37d
SHA256 6c6e73490b4c74ce61ed57d87112c3544869c1f5699214bbee3390ff25c7d284
SHA512 e433e3e8bb47e84dfd3a846664798b3541dc1ea6ee557f16c00a102e92ca1ab49dfd200668157a036d085f2a3dd6543bbb2535676245da1240dd417270f83851

memory/1204-163-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/1204-164-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/1204-165-0x0000000070F20000-0x0000000071277000-memory.dmp

memory/1204-174-0x0000000006E70000-0x0000000006F14000-memory.dmp

memory/1204-175-0x00000000071A0000-0x00000000071B1000-memory.dmp

memory/1204-176-0x0000000005970000-0x0000000005985000-memory.dmp

memory/3832-186-0x0000000005B90000-0x0000000005EE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c81d736843f5e37457c7c142d41c0527
SHA1 f0f5cbb82f24e7110afe54ebeceb38c0138a471b
SHA256 6fe0390367080adae678e4c4c21864c2637cac5048d34dbffd4f461d1dbc56c5
SHA512 de27a3748b14bf0517a8e6da76528bcac1dad343c5548a3b659f64b500955e54de7c28d5517af3363c4e09e31c2aa3eef1df4492316a0332edba8de0c21d2412

memory/3832-190-0x0000000070CD0000-0x0000000070D1C000-memory.dmp

memory/3832-191-0x0000000070E50000-0x00000000711A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4036-206-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2444-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/876-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2444-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4036-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/876-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4036-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/876-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4036-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/876-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4036-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-254-0x0000000000400000-0x0000000002B0D000-memory.dmp