Malware Analysis Report

2025-01-02 06:30

Sample ID 240515-3qfffsac2v
Target 26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86
SHA256 26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86

Threat Level: Known bad

The file 26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:42

Reported

2024-05-15 23:45

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\system32\cmd.exe
PID 852 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3276 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 852 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 852 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 852 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 2488 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4380 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2488 wrote to memory of 4380 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1924 wrote to memory of 4760 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 4760 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 4760 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4760 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4760 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 331b99c4-5180-4cb4-9474-c2f58f689d08.uuid.statstraffic.org udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server12.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server12.statstraffic.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server12.statstraffic.org tcp

Files

memory/2104-1-0x0000000004770000-0x0000000004B6D000-memory.dmp

memory/2104-2-0x0000000004B70000-0x000000000545B000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3280-4-0x000000007442E000-0x000000007442F000-memory.dmp

memory/3280-5-0x0000000004B50000-0x0000000004B86000-memory.dmp

memory/3280-6-0x0000000005300000-0x0000000005928000-memory.dmp

memory/3280-7-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/3280-8-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/3280-9-0x0000000005180000-0x00000000051A2000-memory.dmp

memory/3280-11-0x0000000005B10000-0x0000000005B76000-memory.dmp

memory/3280-10-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yayh3uhf.2gd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3280-21-0x0000000005C80000-0x0000000005FD4000-memory.dmp

memory/3280-22-0x0000000006110000-0x000000000612E000-memory.dmp

memory/3280-23-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/3280-24-0x00000000066B0000-0x00000000066F4000-memory.dmp

memory/3280-25-0x0000000007460000-0x00000000074D6000-memory.dmp

memory/3280-27-0x0000000007500000-0x000000000751A000-memory.dmp

memory/3280-26-0x0000000007B60000-0x00000000081DA000-memory.dmp

memory/3280-30-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3280-31-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/3280-42-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/3280-43-0x0000000007710000-0x00000000077B3000-memory.dmp

memory/3280-44-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/3280-45-0x0000000007800000-0x000000000780A000-memory.dmp

memory/2104-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3280-32-0x0000000070440000-0x0000000070794000-memory.dmp

memory/3280-29-0x00000000076B0000-0x00000000076E2000-memory.dmp

memory/3280-46-0x00000000078C0000-0x0000000007956000-memory.dmp

memory/3280-47-0x0000000007820000-0x0000000007831000-memory.dmp

memory/3280-48-0x0000000007860000-0x000000000786E000-memory.dmp

memory/3280-49-0x0000000007870000-0x0000000007884000-memory.dmp

memory/3280-50-0x0000000007960000-0x000000000797A000-memory.dmp

memory/3280-51-0x00000000078A0000-0x00000000078A8000-memory.dmp

memory/3280-54-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/2104-66-0x0000000004B70000-0x000000000545B000-memory.dmp

memory/2104-65-0x0000000004770000-0x0000000004B6D000-memory.dmp

memory/3148-78-0x0000000007270000-0x0000000007313000-memory.dmp

memory/3148-68-0x0000000070440000-0x0000000070794000-memory.dmp

memory/3148-67-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3148-79-0x0000000007580000-0x0000000007591000-memory.dmp

memory/3148-80-0x00000000075D0000-0x00000000075E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d40661e3d00c0e2ee508a71208d00c55
SHA1 96404e113dfe052bd6a807aac1498458abef7472
SHA256 e9d12b2ac15dc3be29f4ef8744d56d3a1578aed51661d4bf9582b03aec137bfe
SHA512 49acceff0ca5a7b9a9ace289768044302ad5a79c6e7e8b3641364830738a31d734e43c67527c7a4f065b080046a245064f71c905a1a2f474e5afacba348c9691

memory/1060-96-0x0000000070440000-0x0000000070794000-memory.dmp

memory/1060-95-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/2104-94-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6969f147c7b1f68949d4c2600fcece3e
SHA1 81fa51edf08b760dfd45805c7983853f56e9e1ad
SHA256 bb418469b2e31e2f79547a3fbe24f9cd17b689fcb371b9a32d9f90d758b922a1
SHA512 ef07a68fe08d7528307ee8c6ae4e6494245e4fa48c7fbbd9e465ad710c18ebfe8308c08bb3349fb78573ac04a3a38f0d9ca8354abcc4ffd7dca21e56bda76187

memory/5072-116-0x0000000005630000-0x0000000005984000-memory.dmp

memory/5072-119-0x0000000070890000-0x0000000070BE4000-memory.dmp

memory/5072-118-0x00000000702C0000-0x000000007030C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d224c01165136763824cb4cf0144493f
SHA1 9bc66aac34d81bbfb85e9f7e2e02d2c25d8d0394
SHA256 26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86
SHA512 fd908bf6b893bd367f35e4c7b4bbf2cc92634479fa56d825b5495931284e52cf120e52ae74c79d10e872a71f92e446df5b0e74c89d735106790e23da4f5827d2

memory/2104-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-135-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4ddc94e0d95e324d5bdf9d03dbe72282
SHA1 90a6e15e248934aa3e379ddf18cb8791729a890a
SHA256 95bddff9b853b9bbba6d4092461a45e87713aa2518b55c69c584c684bff57457
SHA512 266f59b10fd3fd6d2053ed6f48eb81cca06a45b41fd62a315a0288b74e939fdf7cbb87c2519268a53dfd3a473409b073550cbd50d16995f954222b9a6f39d0f9

memory/3440-146-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/3440-149-0x0000000070A40000-0x0000000070D94000-memory.dmp

memory/3440-148-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3936-169-0x0000000006360000-0x00000000066B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2954cb6f7946f25e375569a80025a23
SHA1 0be7b6dd5e1bdd45a785d065979a693a35ce775b
SHA256 8c29eed68768cd7a0bb137a39863df516e7b1cb2271b8be5734405e7e468eaf1
SHA512 ec88e51944cdd10c42ead8bb4ed406906863fa6f26e0a8baf3c354ffd9cb55045118515faa3057b33a25eeb749009692bc7970fbfc6805340b83573d0b03b079

memory/3936-171-0x0000000006920000-0x000000000696C000-memory.dmp

memory/3936-183-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/3936-173-0x0000000070390000-0x00000000706E4000-memory.dmp

memory/3936-172-0x00000000701E0000-0x000000007022C000-memory.dmp

memory/3936-184-0x0000000007E70000-0x0000000007E81000-memory.dmp

memory/3936-185-0x0000000006720000-0x0000000006734000-memory.dmp

memory/1664-196-0x00000000062F0000-0x0000000006644000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 19c2735f6863afe43f7b4c2f2ad3d655
SHA1 cd1a1149b5d844eeabf564eabc5b2212f1dc885b
SHA256 d221c8328bad0eb2cab6f278999636084d1277b27c7ed4e909df0e9bd2375195
SHA512 5b02642ce0f064a23a4084aeff0746a27d74713c06c98d0c84cb02c72dc3bcd093106910709f90c5fb0faaf30483d4d0c88afec0542608099d26f6c9310660fc

memory/1664-200-0x0000000070360000-0x00000000706B4000-memory.dmp

memory/1664-199-0x00000000701E0000-0x000000007022C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2488-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1924-223-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1924-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1316-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1316-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1316-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2488-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-260-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2488-269-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:42

Reported

2024-05-15 23:45

Platform

win11-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\system32\cmd.exe
PID 3608 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4536 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3608 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 3608 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 3608 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe C:\Windows\rss\csrss.exe
PID 3308 wrote to memory of 2868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2716 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 1676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3308 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3308 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4980 wrote to memory of 2296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2296 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2296 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2296 wrote to memory of 3976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe

"C:\Users\Admin\AppData\Local\Temp\26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 eb5d321b-d793-4401-9fb3-cfaf5d4510de.uuid.statstraffic.org udp
US 8.8.8.8:53 server14.statstraffic.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server14.statstraffic.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server14.statstraffic.org tcp

Files

memory/2748-1-0x00000000048C0000-0x0000000004CBC000-memory.dmp

memory/2748-2-0x0000000004CC0000-0x00000000055AB000-memory.dmp

memory/2748-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3572-4-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

memory/3572-5-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/3572-6-0x00000000051C0000-0x00000000057EA000-memory.dmp

memory/3572-7-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/3572-8-0x00000000050D0000-0x00000000050F2000-memory.dmp

memory/3572-9-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/3572-11-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/3572-10-0x00000000057F0000-0x0000000005856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5ng1cdp.ney.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3572-20-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/3572-21-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/3572-22-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/3572-23-0x0000000006500000-0x0000000006546000-memory.dmp

memory/3572-26-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/3572-25-0x0000000007390000-0x00000000073C4000-memory.dmp

memory/3572-27-0x0000000071240000-0x0000000071597000-memory.dmp

memory/3572-37-0x0000000007410000-0x00000000074B4000-memory.dmp

memory/3572-38-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/3572-36-0x00000000073F0000-0x000000000740E000-memory.dmp

memory/2748-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3572-39-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/3572-40-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/3572-41-0x0000000007530000-0x000000000754A000-memory.dmp

memory/3572-42-0x0000000007570000-0x000000000757A000-memory.dmp

memory/3572-43-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/3572-44-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/3572-45-0x00000000075E0000-0x00000000075EE000-memory.dmp

memory/3572-46-0x00000000075F0000-0x0000000007605000-memory.dmp

memory/3572-47-0x00000000076F0000-0x000000000770A000-memory.dmp

memory/3572-48-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/3572-51-0x0000000074D80000-0x0000000075531000-memory.dmp

memory/2748-53-0x00000000048C0000-0x0000000004CBC000-memory.dmp

memory/2748-54-0x0000000004CC0000-0x00000000055AB000-memory.dmp

memory/2748-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2952-64-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

memory/2952-66-0x0000000071220000-0x0000000071577000-memory.dmp

memory/2952-65-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/2952-75-0x0000000007220000-0x00000000072C4000-memory.dmp

memory/2952-76-0x0000000007520000-0x0000000007531000-memory.dmp

memory/2748-78-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3608-77-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2952-79-0x0000000007570000-0x0000000007585000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8c290717aa74c40097406c6bee1ad5b4
SHA1 177a44a943392a2637ce7abe649578ee01a5ff24
SHA256 7dac0d34cd4ad892f9bf8625f3d5cfbbd72b19d145995aa68a0c7e6610a4d4bc
SHA512 a5431a6e7e094f761b800b3c36503b6647c11ea2168791949943d0f1d1715b3e719ca876ee29553a848f58b4773aed799e6718a34ad7117db7ac5a6a7a423763

memory/4816-93-0x0000000071240000-0x0000000071597000-memory.dmp

memory/4816-92-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/2684-111-0x0000000005AB0000-0x0000000005E07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d2dfd8c2dd3df04701602a29a099c3e
SHA1 239f64f386cdaa2bcbc4db6d08c96b0d68780930
SHA256 2fa81ab88325f35304b6e4ef58b65764d5a37051af54f922f9ffc7cbdff9f7a5
SHA512 1048d47672e339a21c4e7cc68dc3b329c9a6dac83bcb3b6ea70f79e30b9a0bb622defd158fcb304fd2ed55acc7953093983d6091d5a2c6cd2f59749d8bd0105d

memory/2684-114-0x00000000711C0000-0x0000000071517000-memory.dmp

memory/2684-113-0x0000000070FF0000-0x000000007103C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d224c01165136763824cb4cf0144493f
SHA1 9bc66aac34d81bbfb85e9f7e2e02d2c25d8d0394
SHA256 26df6a3c515d9e9c0f3a1911864b8a8931e955f4abe948fc95114566e73b3d86
SHA512 fd908bf6b893bd367f35e4c7b4bbf2cc92634479fa56d825b5495931284e52cf120e52ae74c79d10e872a71f92e446df5b0e74c89d735106790e23da4f5827d2

memory/3608-130-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2868-141-0x0000000005A50000-0x0000000005DA7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a7b347f8b17300c626363fe3e5084636
SHA1 1f22415603f4538464af8a966ac352e02b0df4fc
SHA256 cace370923580f55ff9f9106968d3787f7d2ffdfb507fd183390727daa87b04b
SHA512 8f2a3fefee38a10716b6be4998bc95362e048f7a750616a223a17532fef6e157453b62aa076fc63f551ebee83b2a9db8622fe1d2c488b9f19998c647f8d8e04a

memory/2868-143-0x0000000070FF0000-0x000000007103C000-memory.dmp

memory/2868-144-0x0000000071170000-0x00000000714C7000-memory.dmp

memory/2716-154-0x0000000005890000-0x0000000005BE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8ef0854007fefa4c4faaddcb00aca33e
SHA1 a2f0f0ca512ed29a8fc5f01be9074554dbfc39a0
SHA256 dfd4bad37036c6dfe1298f9a50283899b30c595d967efa234bb934b38f7bbc0c
SHA512 1e71b126dc381a53bdf3b1f244f69f5459c00d42fb0cd142e38a9ca1fe0ced1262d802ddbb52612dc21f9e7d48c9beec0608cfc4938ac9b308fd3ec666e518cd

memory/2716-164-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/2716-165-0x0000000070F10000-0x0000000070F5C000-memory.dmp

memory/2716-166-0x0000000071160000-0x00000000714B7000-memory.dmp

memory/2716-175-0x0000000007070000-0x0000000007114000-memory.dmp

memory/2716-176-0x0000000007410000-0x0000000007421000-memory.dmp

memory/2716-177-0x0000000005C10000-0x0000000005C25000-memory.dmp

memory/1676-187-0x0000000005BF0000-0x0000000005F47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 81d1231ac16ed313efd8f895c900ab4a
SHA1 f96568c802ead7eed2d6e28a7c28fac4f0fc2223
SHA256 7abe758010c7803515748c97e8d8c1fd248ba09718d30ae7d164b947e70e7471
SHA512 2650544f2efe5e25d5c2dc2f1ca1737683eb535e6b2d4622b422dcc4e82716e9036fd1f8c88c003644c6c30fad75dc0894078cc1abfba5a1a5f96c3709f35eaa

memory/3308-190-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1676-191-0x0000000070F10000-0x0000000070F5C000-memory.dmp

memory/1676-192-0x0000000071120000-0x0000000071477000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3308-209-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4980-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1456-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4980-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3308-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1456-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3308-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3308-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1456-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3308-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3308-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3308-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3308-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3308-249-0x0000000000400000-0x0000000002B0B000-memory.dmp