Malware Analysis Report

2025-01-02 06:40

Sample ID 240515-wry6mada99
Target cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a
SHA256 cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a

Threat Level: Known bad

The file cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:09

Reported

2024-05-15 18:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4168 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\system32\cmd.exe
PID 3524 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3524 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3524 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 3524 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 3524 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 2176 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2584 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 4804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 4804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 4804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2176 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2308 wrote to memory of 2384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 2384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2384 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2384 wrote to memory of 3176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 82b74cf5-cca6-4463-97be-87a1e58a2fa1.uuid.statscreate.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.statscreate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.statscreate.org tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server3.statscreate.org tcp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.96:443 server3.statscreate.org tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4168-1-0x00000000047E0000-0x0000000004BE3000-memory.dmp

memory/4168-2-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/4168-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4052-5-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/4052-6-0x0000000002C80000-0x0000000002CB6000-memory.dmp

memory/4168-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4052-8-0x00000000053F0000-0x0000000005A18000-memory.dmp

memory/4052-7-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4052-9-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4052-10-0x0000000005260000-0x0000000005282000-memory.dmp

memory/4052-11-0x0000000005300000-0x0000000005366000-memory.dmp

memory/4052-12-0x0000000005BD0000-0x0000000005C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xd4x3ts1.3mk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4052-22-0x0000000005D40000-0x0000000006094000-memory.dmp

memory/4052-23-0x0000000006220000-0x000000000623E000-memory.dmp

memory/4052-24-0x0000000006270000-0x00000000062BC000-memory.dmp

memory/4052-25-0x0000000006780000-0x00000000067C4000-memory.dmp

memory/4052-26-0x0000000007540000-0x00000000075B6000-memory.dmp

memory/4052-27-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/4052-28-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/4052-29-0x00000000077A0000-0x00000000077D2000-memory.dmp

memory/4052-31-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4052-30-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4052-32-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/4052-42-0x00000000077E0000-0x00000000077FE000-memory.dmp

memory/4052-43-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/4052-44-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4052-45-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/4052-46-0x00000000079B0000-0x0000000007A46000-memory.dmp

memory/4052-47-0x0000000007910000-0x0000000007921000-memory.dmp

memory/4052-48-0x0000000007950000-0x000000000795E000-memory.dmp

memory/4052-49-0x0000000007960000-0x0000000007974000-memory.dmp

memory/4052-50-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/4052-51-0x00000000079A0000-0x00000000079A8000-memory.dmp

memory/4052-54-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4168-57-0x00000000047E0000-0x0000000004BE3000-memory.dmp

memory/4168-58-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/4168-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4168-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4692-65-0x00000000062D0000-0x0000000006624000-memory.dmp

memory/4692-70-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4692-71-0x0000000070DF0000-0x0000000071144000-memory.dmp

memory/4692-81-0x0000000007AF0000-0x0000000007B93000-memory.dmp

memory/4692-82-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/3524-84-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4692-85-0x0000000007E50000-0x0000000007E64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 49af095445fc11256186f41944c4c7f5
SHA1 d76ed97c41931076edf2b5394ee3a1822074d2b9
SHA256 a6550b60e7cba45b3c25c0bb961b85314ea75e19424544b1b5fa2c11bc2175cd
SHA512 b6f44675c8641d3221a75351400475c526221053b7d9022088b13c2512a5e4231345afc68fa0d02fe945598e48b16859cbe497b3cf988ba8ccef01e4ca6d03b8

memory/3564-99-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/3564-100-0x0000000070DF0000-0x0000000071144000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb02cb56a07793ccba0ee0b4cbffba23
SHA1 5bb9e4ac008f37d91243b17fc0011c95eecc2f7e
SHA256 d26cc48c312be079265e3dac8f6114295374e7742986d5f9d865d446bda4e9a8
SHA512 e4204775b719fd7e9636e6e8f855a3ddbeb436ced614604e34661293f8b736fbfd145d21028ef7929df76512c963f7b9fe9f3e9646b2445d625731fdd8b1b1ab

memory/4208-121-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/4208-122-0x00000000707F0000-0x0000000070B44000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 73aeda66150b96d5a58ca07b072740e3
SHA1 2f5753e8a5c46b3bc28cfc95a487b11e22a3498e
SHA256 cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a
SHA512 7123d02b1321124cb2e52a1f06e273485e65e8ee8e85405cf99464e49dc2dc54c6321bfc6170cdc5228b76fe5ed732ad75977f0fadade48602df1fcd525211ba

memory/3524-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 089ef4579952d692e2898346f7c8192b
SHA1 54e6f047cfb30e9741db3a293e81a68896567388
SHA256 32f43a5d3db015a9f6c39f9db89bdc768546d6841204e56bd53aafdec1badd16
SHA512 734295d0101a82cc22dd26eccb10b1ab90634618bea97eb03032efc7c4e64106db9d5dd6db712e82823e14c85862d3cac1edab15199dc683bf409a4278aa6a11

memory/2584-151-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/2584-150-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2176-162-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3364-164-0x00000000058B0000-0x0000000005C04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 575a79f972010aa01b12c137dba2d8b6
SHA1 f1f1b6d92b843b454dc4c26dd72eb2f49415250c
SHA256 05272cf0d570d5b2e259bfe666a590bbd1e4764f9288b48a249a85032e92f1fb
SHA512 f46be2ae3ab107c9b7f079190d0cca4f05980a14dfe270492d659e700399ecbe58a0a88e117a2e30cd658bf167b837714092724ca98390d01693595946b54eec

memory/3364-175-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/3364-177-0x0000000070590000-0x00000000705DC000-memory.dmp

memory/3364-178-0x0000000070D20000-0x0000000071074000-memory.dmp

memory/3364-188-0x0000000007200000-0x00000000072A3000-memory.dmp

memory/3364-189-0x0000000007530000-0x0000000007541000-memory.dmp

memory/3364-190-0x0000000005DC0000-0x0000000005DD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1fa97cbb4f1c2eecd94780ba4009536e
SHA1 41c67aa3de1021c2574956e897e3a54cc4c5848d
SHA256 a4f42de783ac2fa286bf5af434b2eb51d9072891f5255674cb6cb5bf0550a2dd
SHA512 494850c88900f7315d8701fcd8233cb6df4d7ef7d5693c44612ad5c3a57ef915185935e544e86a2ea3b451b8f94322ab84096c2dbc1c9921b72ba5c24125ae81

memory/4804-203-0x0000000070D20000-0x0000000071074000-memory.dmp

memory/4804-202-0x0000000070590000-0x00000000705DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2176-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2308-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2308-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2176-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1776-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2176-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2176-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1776-242-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2176-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2176-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2176-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1776-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2176-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2176-257-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2176-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:09

Reported

2024-05-15 18:12

Platform

win11-20240426-en

Max time kernel

36s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4908 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\system32\cmd.exe
PID 1012 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1012 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2368 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 2368 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 2368 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe C:\Windows\rss\csrss.exe
PID 1676 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2132 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 3348 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 2288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe

"C:\Users\Admin\AppData\Local\Temp\cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fee5fdd9-27ff-4a25-a1be-9093da85e312.uuid.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server5.statscreate.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server5.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server5.statscreate.org tcp
BG 185.82.216.96:443 server5.statscreate.org tcp
BG 185.82.216.96:443 server5.statscreate.org tcp

Files

memory/4908-1-0x0000000004910000-0x0000000004D12000-memory.dmp

memory/4908-2-0x0000000004D20000-0x000000000560B000-memory.dmp

memory/4908-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2664-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2664-5-0x0000000002F60000-0x0000000002F96000-memory.dmp

memory/2664-7-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2664-6-0x0000000005A20000-0x000000000604A000-memory.dmp

memory/2664-8-0x0000000006100000-0x0000000006122000-memory.dmp

memory/2664-9-0x00000000061A0000-0x0000000006206000-memory.dmp

memory/2664-10-0x0000000006210000-0x0000000006276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjcpv2hu.e0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2664-19-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2664-20-0x0000000006280000-0x00000000065D7000-memory.dmp

memory/2664-21-0x0000000006750000-0x000000000676E000-memory.dmp

memory/2664-22-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/2664-23-0x0000000006CE0000-0x0000000006D26000-memory.dmp

memory/2664-36-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2664-35-0x0000000007BD0000-0x0000000007BEE000-memory.dmp

memory/2664-26-0x0000000071040000-0x0000000071397000-memory.dmp

memory/2664-25-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/2664-37-0x0000000007BF0000-0x0000000007C94000-memory.dmp

memory/2664-24-0x0000000007B70000-0x0000000007BA4000-memory.dmp

memory/2664-38-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/2664-39-0x0000000008360000-0x00000000089DA000-memory.dmp

memory/2664-40-0x0000000007D20000-0x0000000007D3A000-memory.dmp

memory/2664-41-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/2664-42-0x0000000007E70000-0x0000000007F06000-memory.dmp

memory/2664-43-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/2664-44-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

memory/2664-45-0x0000000007DE0000-0x0000000007DF5000-memory.dmp

memory/2664-46-0x0000000007E30000-0x0000000007E4A000-memory.dmp

memory/2664-47-0x0000000007E20000-0x0000000007E28000-memory.dmp

memory/2664-50-0x0000000074C50000-0x0000000075401000-memory.dmp

memory/4908-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4908-53-0x0000000004910000-0x0000000004D12000-memory.dmp

memory/4908-54-0x0000000004D20000-0x000000000560B000-memory.dmp

memory/3844-64-0x0000000071040000-0x0000000071397000-memory.dmp

memory/3844-63-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/3844-73-0x0000000007140000-0x00000000071E4000-memory.dmp

memory/3844-74-0x0000000007470000-0x0000000007481000-memory.dmp

memory/3844-75-0x00000000074C0000-0x00000000074D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4892-79-0x0000000005740000-0x0000000005A97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 460592fb22945400f1576adfaa4a382b
SHA1 3dc876e4f107ecbf507f416007c6560293a8b1a8
SHA256 4f2b96859a2e69bf812cd189fa745fd6b872f7b1ecc502361da26707f50e627f
SHA512 03c7ff95e7f70901b4ea8003c64f1441e13968e8e769325168566d82d9e4e61ed1e8d4b10325b887ab0a7aa1a092fe1e3e8acbcad97c0d5701038382ef41028f

memory/4892-90-0x0000000071110000-0x0000000071467000-memory.dmp

memory/4892-89-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/4908-101-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2368-100-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2992-103-0x00000000056A0000-0x00000000059F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f198fcd4ee897516fdbe9faa414a1124
SHA1 caf865f763bea62ee41e97ec99bb6c895f1f9037
SHA256 200cacc653c4c47cadc71b062a7397f7e4e9eaa2c423657323dfbaab024ba963
SHA512 e25e5af90ee93fbf6acab87e2aad479bf772ad55c4a54d6fe7112c5e45fc640f7720448bfe5697358f15f47fb2d7e84291882fdb55e14b4d132a85f685e52460

memory/2992-113-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/2992-114-0x0000000071130000-0x0000000071487000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 73aeda66150b96d5a58ca07b072740e3
SHA1 2f5753e8a5c46b3bc28cfc95a487b11e22a3498e
SHA256 cfb4ceb65b0205b326991a4e293eaffec8d80a0eddcf1e409b904fc7caf55c6a
SHA512 7123d02b1321124cb2e52a1f06e273485e65e8ee8e85405cf99464e49dc2dc54c6321bfc6170cdc5228b76fe5ed732ad75977f0fadade48602df1fcd525211ba

memory/2368-130-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2132-139-0x0000000005990000-0x0000000005CE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2c3ac9f535394d9a74a6d8836bec406f
SHA1 b044252b5f8b6cda94e6bf310b63b0495b27a61c
SHA256 cee2905096711fcaaf47dc67892e30dc5cd870c270afb9e3b6519d5fac80a9b7
SHA512 bc5ea0b55e6a1e705557487c6a4fe070a92adbf4924e99c94f0656e11e26b6912e749fed88bb9fc84ba2a29afae8824e3ce7a26e3462c86846862ce809f91ad8

memory/2132-141-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

memory/2132-142-0x00000000710D0000-0x0000000071427000-memory.dmp

memory/3348-160-0x0000000005D80000-0x00000000060D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09886bb8f38d1ee6ed51ec2db9b12ecf
SHA1 c28ccecee847ccb12e7c40e9945337e2a3df3dff
SHA256 1b9613a391c83ef0bd0ce8152d0d3fa316977a441c14ed4ecab07e457c119425
SHA512 651ea286e52ba8c6553d74905cd744411a05db4fede17b79a3f30a8f6c5b93917ed0328ed35697af6c42215765da8a52e50903394efd7e7b4e9458db14e71b8d

memory/3348-162-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/3348-163-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/3348-164-0x0000000070F80000-0x00000000712D7000-memory.dmp

memory/3348-173-0x0000000007680000-0x0000000007724000-memory.dmp

memory/3348-174-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/3348-175-0x0000000006160000-0x0000000006175000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e41a67e801a6efb1f922176beb4dec4b
SHA1 5ff77529feaf8576a72938844b292e1164bdae9c
SHA256 00b2afc049c76b025a927f65cd063bc4f9c00ea84932ba028ba2c37f5a08713c
SHA512 035bdc31ec2fb56dab19c646e02e776f36a00ade0b3b491050894be83954e670ff03a3f4a8b642cce1bef825a43ac81d20cbe05c087be059834ec3945d0e46e1

memory/2288-186-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

memory/2288-187-0x0000000070F80000-0x00000000712D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1676-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3828-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1636-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3828-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1636-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1636-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1676-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-252-0x0000000000400000-0x0000000002B0B000-memory.dmp