Malware Analysis Report

2024-11-13 19:42

Sample ID 240517-qnfxzsad61
Target 949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd
SHA256 949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd

Threat Level: Known bad

The file 949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\system32\cmd.exe
PID 4380 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5096 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4380 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 4380 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 5100 wrote to memory of 3784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3784 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 1200 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 5032 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5100 wrote to memory of 3780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5100 wrote to memory of 3780 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2244 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 4552 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4552 wrote to memory of 396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 4c346ec8-8bc3-4682-a356-8330e07e2e67.uuid.myfastupdate.org udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server15.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server15.myfastupdate.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server15.myfastupdate.org tcp

Files

memory/3492-1-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/2824-3-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/2824-4-0x0000000002790000-0x00000000027C6000-memory.dmp

memory/2824-5-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/3492-2-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2824-6-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/2824-7-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

memory/2824-8-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/2824-9-0x0000000005710000-0x0000000005776000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sijac4wi.tgi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2824-15-0x0000000005780000-0x0000000005AD4000-memory.dmp

memory/2824-20-0x0000000005D60000-0x0000000005D7E000-memory.dmp

memory/2824-21-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/2824-22-0x00000000062A0000-0x00000000062E4000-memory.dmp

memory/2824-23-0x0000000007070000-0x00000000070E6000-memory.dmp

memory/2824-24-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/2824-25-0x0000000007110000-0x000000000712A000-memory.dmp

memory/2824-27-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/2824-28-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

memory/2824-26-0x00000000072D0000-0x0000000007302000-memory.dmp

memory/2824-29-0x0000000071250000-0x00000000715A4000-memory.dmp

memory/2824-39-0x0000000007310000-0x000000000732E000-memory.dmp

memory/2824-40-0x0000000007330000-0x00000000073D3000-memory.dmp

memory/2824-41-0x0000000007420000-0x000000000742A000-memory.dmp

memory/2824-42-0x00000000074E0000-0x0000000007576000-memory.dmp

memory/2824-43-0x0000000007440000-0x0000000007451000-memory.dmp

memory/2824-44-0x0000000007480000-0x000000000748E000-memory.dmp

memory/2824-45-0x0000000007490000-0x00000000074A4000-memory.dmp

memory/2824-46-0x0000000007580000-0x000000000759A000-memory.dmp

memory/2824-47-0x00000000074C0000-0x00000000074C8000-memory.dmp

memory/2824-50-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/3492-52-0x00007FFCE17B0000-0x00007FFCE19A5000-memory.dmp

memory/3492-51-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4596-63-0x0000000006240000-0x0000000006594000-memory.dmp

memory/4596-64-0x00000000068F0000-0x000000000693C000-memory.dmp

memory/4596-65-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/4596-66-0x0000000071370000-0x00000000716C4000-memory.dmp

memory/4596-76-0x0000000007AB0000-0x0000000007B53000-memory.dmp

memory/4596-77-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/4596-78-0x0000000007E10000-0x0000000007E24000-memory.dmp

memory/4380-79-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3968-92-0x0000000006480000-0x00000000067D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04a936b4b0016a75fd3b0270ad634b6c
SHA1 74e82422bdd76476690d196198c05dee0eaa13d6
SHA256 604b82e060d352e85f0c4887bdcdff84ae523a93bb5a412b198789f257249e1e
SHA512 b52b96ef8e60104b61ac01f1238fdc0467f8e41dab2fa292acd5e59125c6467d102dfdbad1e87e7925778ad5721fb4e48f08673b96ae394083cacc889750b399

memory/3968-94-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/3968-95-0x0000000070D50000-0x00000000710A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e1631c7b522942dd35904c726a97481a
SHA1 9e3e0c6cc488b829b5922db26bccf3c29f416436
SHA256 a0aac8baab2cdc1dfd5862803ea124877412f554785b6d3fb904f1729dea2158
SHA512 9fa631ae025ecd863c685db53c91f0f2c9a67bb24e71fa0163c539f6a489fc72ad6d68842ab34947bd33ea660e20f70862b1dd7390bd789f19c64bd1ba568754

memory/2020-116-0x0000000070BD0000-0x0000000070C1C000-memory.dmp

memory/2020-117-0x0000000070D50000-0x00000000710A4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1ff97a9a48a8a195b078710b6b737107
SHA1 b313161f322790b09ccb1d847799df6c9535aadc
SHA256 949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd
SHA512 d6800c20afa86db257b2e60ebb044b2c27705e3063cb4e1a008265407e2ecc2aa0e14602163defc29ac3d61531fbc36bec04961d209e43472c0842731e17b7d9

memory/4380-131-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3784-143-0x0000000005B80000-0x0000000005ED4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 120adbd09b0dbbb4e2ffd221923779a6
SHA1 e8204d807d387d6c1daa317508fb3fe58ab36312
SHA256 4215eea3908623911cd3e66ff3c31bf7bbc94fe207818521ee4ee8cacb3be93a
SHA512 b1491b927ebaf93179126220bc6a391d4ac9d45c0c4e964155fdfc5887030402e9420ae1ee7253ffa75b01a889a90775f3f10346ddf897fa878ce05ad88f904d

memory/3784-145-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/3784-146-0x0000000070B30000-0x0000000070B7C000-memory.dmp

memory/3784-147-0x0000000070CB0000-0x0000000071004000-memory.dmp

memory/3784-157-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/3784-158-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/5100-159-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3784-160-0x00000000058A0000-0x00000000058B4000-memory.dmp

memory/1200-162-0x0000000005AC0000-0x0000000005E14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 77d5ea301de78b8f189b85f9efa4387f
SHA1 cf46caac75f3ecdc9b033113f4c1395cc8964a18
SHA256 3ea02340fcae0cdb677f1bd91ad0f47eb1c54aab24fdd351afd65442f8d19994
SHA512 d202b654abf8a9e62fb0f076fbd5d5c55d5433604de5803432748519a107d70b16eec5858e58690b137d583f1cc578e231a2d2c6884ba8019d65085e3a0cf927

memory/1200-173-0x0000000006140000-0x000000000618C000-memory.dmp

memory/1200-175-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/1200-174-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/1200-185-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/1200-186-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/1200-187-0x0000000005F40000-0x0000000005F54000-memory.dmp

memory/5032-198-0x0000000005600000-0x0000000005954000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 378bab687ff2e7a47af70fdde9ad164e
SHA1 e53b792bd023285a2712967506b6ad283f7b3641
SHA256 5c929738002ba9275c18a6ab113c9233f390f00ad795f8ded24edd1a638909c4
SHA512 26f9d9bfc55a596ca037bfac2efd8f4c71807c2b493660dce24cd96308678558a5399ebcd331def732a6121f866eee32161aa553b4bfb23ccf1f100fcb4476e4

memory/5032-200-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/5032-201-0x0000000070BD0000-0x0000000070F24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5100-217-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2244-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1776-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2244-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5100-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1776-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5100-229-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5100-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5100-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1776-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5100-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5100-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1776-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5100-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5100-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5100-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:24

Reported

2024-05-17 13:26

Platform

win11-20240426-en

Max time kernel

29s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3408 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3408 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 916 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1688 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1688 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 1688 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 1688 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe C:\Windows\rss\csrss.exe
PID 3312 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2148 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 1432 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe

"C:\Users\Admin\AppData\Local\Temp\949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3408 -ip 3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 950cb63b-8982-410e-9039-487e85369de0.uuid.myfastupdate.org udp
US 8.8.8.8:53 server4.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp
BG 185.82.216.111:443 server4.myfastupdate.org tcp

Files

memory/3408-1-0x0000000004890000-0x0000000004C98000-memory.dmp

memory/3408-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/3408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4320-4-0x00000000741CE000-0x00000000741CF000-memory.dmp

memory/4320-5-0x0000000002700000-0x0000000002736000-memory.dmp

memory/4320-6-0x0000000004DA0000-0x00000000053CA000-memory.dmp

memory/4320-7-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4320-9-0x0000000004D20000-0x0000000004D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uoypbpmj.ozw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4320-11-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/4320-20-0x00000000057D0000-0x0000000005B27000-memory.dmp

memory/4320-10-0x0000000005440000-0x00000000054A6000-memory.dmp

memory/4320-8-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4320-21-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/4320-22-0x0000000005C00000-0x0000000005C4C000-memory.dmp

memory/4320-23-0x0000000006150000-0x0000000006196000-memory.dmp

memory/4320-26-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/4320-37-0x0000000007050000-0x00000000070F4000-memory.dmp

memory/4320-36-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4320-38-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/4320-35-0x0000000007030000-0x000000000704E000-memory.dmp

memory/4320-40-0x0000000007180000-0x000000000719A000-memory.dmp

memory/4320-39-0x00000000077C0000-0x0000000007E3A000-memory.dmp

memory/4320-25-0x0000000070430000-0x000000007047C000-memory.dmp

memory/4320-24-0x0000000006FD0000-0x0000000007004000-memory.dmp

memory/4320-41-0x00000000071C0000-0x00000000071CA000-memory.dmp

memory/4320-42-0x00000000072D0000-0x0000000007366000-memory.dmp

memory/4320-43-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/4320-44-0x0000000007230000-0x000000000723E000-memory.dmp

memory/4320-45-0x0000000007240000-0x0000000007255000-memory.dmp

memory/4320-46-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/4320-47-0x00000000072B0000-0x00000000072B8000-memory.dmp

memory/4320-50-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/3408-54-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/3408-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3408-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4500-63-0x0000000005F00000-0x0000000006257000-memory.dmp

memory/4500-64-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/4500-75-0x0000000007680000-0x0000000007724000-memory.dmp

memory/4500-66-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/4500-65-0x0000000070540000-0x000000007058C000-memory.dmp

memory/4500-76-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/4500-77-0x00000000079F0000-0x0000000007A05000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4412-89-0x0000000005B20000-0x0000000005E77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 74900bcf4729a6d08a1838d12a718cca
SHA1 78857ecb79bde67150e7deb45559baad1349df02
SHA256 7291e8ec4313634d5eb7db29a6d7a13a06569576264d4da4a6d93d413435d694
SHA512 50b7ed99fe0db0947a818edf2b5635a7a9d4c05b757f4c8cd2f84c09c825c2767f4d2f956840ea9916de0d678357ebcd46d8adabc9c794250092d536dcfe91f7

memory/4412-92-0x00000000706C0000-0x0000000070A17000-memory.dmp

memory/4412-91-0x0000000070540000-0x000000007058C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 06b5f10b3048a2cf14a7633654a803ed
SHA1 e644485b1c39c22320ae68b39ceeef7a00993f9e
SHA256 53cb8186dfb42a75960b6a2148701b2f4fa0f49944a47dbbf1ffc5b0c8f2474b
SHA512 23b313164a2f4760b3b23a4a0113bd188143974bd3dbca0fc15703e8d49d4ca4d5fe84abedd0d798555fdcb0f2879d0448fa30af22dcbd3e99ac83176db3e5df

memory/4908-110-0x0000000006400000-0x0000000006757000-memory.dmp

memory/4908-113-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/4908-112-0x0000000070540000-0x000000007058C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1ff97a9a48a8a195b078710b6b737107
SHA1 b313161f322790b09ccb1d847799df6c9535aadc
SHA256 949d2aaf5120bdfffb4c74c0886a49f3d03689383af8f2aa54fef104ffc6e8dd
SHA512 d6800c20afa86db257b2e60ebb044b2c27705e3063cb4e1a008265407e2ecc2aa0e14602163defc29ac3d61531fbc36bec04961d209e43472c0842731e17b7d9

memory/1688-122-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1688-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2148-138-0x0000000005B90000-0x0000000005EE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71d861e3ed1fb46de5e5e014423bc9c6
SHA1 8977f7dfb1e1e901aec7e3a90c88cc4b92e94099
SHA256 9f2be341c77c5fb39c70b9847539b796c75965389a15bbb850b2e19e3748d377
SHA512 8a8f13efedd7299716e8b6fb54f5f6fdc8340bb0a2babc254fadbe0c227cd77beb600fc61a357482a6cd65fd02eae6b75550cbf314a4e7425625ad8ac7bb6e5d

memory/2148-140-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/2148-142-0x00000000706F0000-0x0000000070A47000-memory.dmp

memory/2148-151-0x0000000007390000-0x0000000007434000-memory.dmp

memory/2148-141-0x00000000704A0000-0x00000000704EC000-memory.dmp

memory/2148-152-0x00000000076B0000-0x00000000076C1000-memory.dmp

memory/2148-153-0x0000000005F10000-0x0000000005F25000-memory.dmp

memory/1036-155-0x00000000062C0000-0x0000000006617000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1ef884f476e790d34c92931d0a523aca
SHA1 2904e87dfa0ff4939fb19dd57fe91757de039e02
SHA256 8ac652a93ff58050dd5551d3e20d4788821a2eed066d5d13ff7ff53cb66be8b0
SHA512 a3caf36ab2950e9ab2619b510b12c1ec6aac9f53e2daf6b71257b1c4b878a774725e49c74aa45f9f4ce6ad75821954f2a4e77307ea5e2e8c1298f1f7adecba00

memory/1036-165-0x0000000006850000-0x000000000689C000-memory.dmp

memory/1036-166-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/1036-176-0x0000000007A80000-0x0000000007B24000-memory.dmp

memory/1036-167-0x0000000070610000-0x0000000070967000-memory.dmp

memory/1036-177-0x0000000007E00000-0x0000000007E11000-memory.dmp

memory/1036-178-0x0000000006640000-0x0000000006655000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 14ba104b8cdbd5f6fa18889d280bfb7c
SHA1 c80301617038185c952cb56d4a5256084cfa7f8c
SHA256 04b3793b9a348050cb9f794d6c58c1ad06c6de035f0b85b463b96f8bfdf12edd
SHA512 0f978b424e9375aac2196a48d15de35d4fc552955f72bd400ad6171b85adae00d012fbd3764088a8e9550cb8d9d2a341a8cc7a3dca43c03e3c68cce6a6c95833

memory/1432-190-0x0000000070610000-0x0000000070967000-memory.dmp

memory/1432-189-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/3312-199-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4468-210-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1264-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1264-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1264-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1264-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3312-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3312-234-0x0000000000400000-0x0000000002B0D000-memory.dmp