glupteba | ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2023, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Size

4.2MB
MD5

a51330277403d71f535b588396585a22
SHA1

2610c6f9344678f88426d467521bae3ad8011800
SHA256

ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb
SHA512

5e99fcdc97b7faab7cd34c2409b69337857f03c1068e4dff5237abcb3185749a4f96610504b85868dcdef7983c109813d60e15743cccf89d97725721b5129ed1
SSDEEP

98304:LSer3mNRRMRcFy/UDRwFrUOtaYO77kPSf61Lxin0ElARZR0hiO:YVecE/UDTYo7t0Lm0VKiO

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/368-134-0x0000000002FD0000-0x00000000038BB000-memory.dmp	family_glupteba
behavioral1/memory/368-155-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/368-180-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2444-208-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2444-265-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-319-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-352-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-395-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-404-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-413-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-447-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-456-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-465-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/3760-477-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2312	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
3760	csrss.exe
3408	injector.exe
4548	tor.exe

Loads dropped DLL 9 IoCs

pid	Process
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe
4548	tor.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
File created	C:\Windows\rss\csrss.exe	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3360	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4920	schtasks.exe
5080	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
4524	powershell.exe
4524	powershell.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
3836	powershell.exe
3836	powershell.exe
4156	powershell.exe
4156	powershell.exe
976	powershell.exe
976	powershell.exe
2472	powershell.exe
2472	powershell.exe
2348	powershell.exe
2348	powershell.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3760	csrss.exe
3760	csrss.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3760	csrss.exe
3760	csrss.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3760	csrss.exe
3760	csrss.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe
3408	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Token: SeImpersonatePrivilege	368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeSystemEnvironmentPrivilege	3760	csrss.exe
Token: SeSecurityPrivilege	3360	sc.exe
Token: SeSecurityPrivilege	3360	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2836	368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	85
PID 368 wrote to memory of 2836	368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	85
PID 368 wrote to memory of 2836	368	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	85
PID 2444 wrote to memory of 4524	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	95
PID 2444 wrote to memory of 4524	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	95
PID 2444 wrote to memory of 4524	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	95
PID 2444 wrote to memory of 1348	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	97
PID 2444 wrote to memory of 1348	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	97
PID 1348 wrote to memory of 2312	1348	cmd.exe	99
PID 1348 wrote to memory of 2312	1348	cmd.exe	99
PID 2444 wrote to memory of 3836	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	100
PID 2444 wrote to memory of 3836	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	100
PID 2444 wrote to memory of 3836	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	100
PID 2444 wrote to memory of 4156	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	103
PID 2444 wrote to memory of 4156	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	103
PID 2444 wrote to memory of 4156	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	103
PID 2444 wrote to memory of 3760	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	105
PID 2444 wrote to memory of 3760	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	105
PID 2444 wrote to memory of 3760	2444	ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe	105
PID 3760 wrote to memory of 976	3760	csrss.exe	107
PID 3760 wrote to memory of 976	3760	csrss.exe	107
PID 3760 wrote to memory of 976	3760	csrss.exe	107
PID 3760 wrote to memory of 2472	3760	csrss.exe	110
PID 3760 wrote to memory of 2472	3760	csrss.exe	110
PID 3760 wrote to memory of 2472	3760	csrss.exe	110
PID 3760 wrote to memory of 2348	3760	csrss.exe	114
PID 3760 wrote to memory of 2348	3760	csrss.exe	114
PID 3760 wrote to memory of 2348	3760	csrss.exe	114
PID 3760 wrote to memory of 3408	3760	csrss.exe	116
PID 3760 wrote to memory of 3408	3760	csrss.exe	116
PID 3760 wrote to memory of 2384	3760	csrss.exe	122
PID 3760 wrote to memory of 2384	3760	csrss.exe	122
PID 3760 wrote to memory of 2384	3760	csrss.exe	122
PID 2384 wrote to memory of 3360	2384	cmd.exe	123
PID 2384 wrote to memory of 3360	2384	cmd.exe	123
PID 2384 wrote to memory of 3360	2384	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
"C:\Users\Admin\AppData\Local\Temp\ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe
  "C:\Users\Admin\AppData\Local\Temp\ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:976
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3408
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:5080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkkwpmdu.zi1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.2MB

MD5
cf199910e965b2db6ba621e9ff136a8d

SHA1
4c46509b4202750b80de5c0c510f92b2eefca534

SHA256
742fbc0e499ad7533d8c4c4fab9c2a4526a8c933ddbfc362b170f8b9fcd9a655

SHA512
d85161e51a18c5ecb6469111b8d438136f0b9b14dc9efa128bcf833fd7a3cc464db86ddc28b51d19e12f9938bbb379e62688768f212d263dac7366f51b25ccf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
4.3MB

MD5
76dac1ad1b05bc56ea25118e556b7509

SHA1
4efc0fca02c8cfa3740e6b9577b2f851ac8f9b6d

SHA256
4530e5a52904378e71bda0cc76f6a5fed34f1534feefec9e29cc82b72a98c1c6

SHA512
4f2189b661bbc40521384a2a866cc158434f07ffd11f7d763524eb58f6363f29adab643248cb5e8f153485f28f40e89597f5025f1ef48d90878416df6a4d99d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip

Filesize
3.8MB

MD5
c72911dec6ae8c4bc62bb2a6a21ba85b

SHA1
0ae7077313a53103c2b32100d74aafc04216289d

SHA256
7e777efc194ea9788171636085b19875d19397d3249fbb88136534037a3dc38f

SHA512
99dc9761ad69f5508d96a2362b930728d451f5ddcf7bb1e210ec5b0f14ee00ee71efaaab150ffa16a2f92fbbb1e2a6b5cd92d51721996df7ac794491c441c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip6

Filesize
5.6MB

MD5
ed2f9b19dd1584d7e26f5ba460ef2fbf

SHA1
dcbf1789bf1eeb03276b830cb2ab92bcf779d97f

SHA256
f11bd1d7546cad00b6db0a1594f3ac1daf9f541004fd7efb5414e068693d6add

SHA512
dcfc780d1e34968390969b64ea2091b630c8eec94ac4724a4103a003a2f31545c3791a39f514517153538b4d3f5c50b6bfba74cc9cf8c0b1b5daba0a4849c856

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc

Filesize
227B

MD5
17c2994d6a89cb7d277f1b3f0b49e5ed

SHA1
2a72ffc34cb2a7d7d3057f4725f2ac660a809158

SHA256
38ad4c6fb403fc2d5dc0dc83a165983a3fb426e0a850847fefc35e62a5ced67f

SHA512
d145ea667f70ed08b12d44228aea09cab637dd1acee131b919f22efdd4730b0c18daa0c83b196f5efa2082cf8f90bcd618b7c7efaab79ca5f0478ade0aca4728

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
97022965f871f5bc01e1d00f6a949a05

SHA1
b621646d09604238256f5ddf097b06373d18432f

SHA256
b9472cc436b77f7335d520efd864b83c7e37a36a390b8db98d9dcf76057b5479

SHA512
922ab40782b65f49a8de54bf36a2beb81518a52c1d03a1b4223d58d90bc9b60e9dd734fcbe585d2c6e68bcb2b6125292b7531de26a35d1f1540629f9484d7892

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9b1078ee3b61d2c5675981fb0c33ace6

SHA1
d96d78173434acd4e262f040f7955913d57a22b1

SHA256
42d4d9b98a9dfd31a5397e15790bfd0a1cb8553908a3b7dadad6ab55de09ddda

SHA512
60f81980df3d7a6aaed49ad850b936e0a3267a79e5501aca0c472cef6a2ce8904c6244b8d3d036009e6fbfa4c8a45221502e579d0c264d7bb60697357b7506e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f3df3302411b88442405423131eaf534

SHA1
03b8ebb7c9647d2a39ea9cbb84aad51611aa5e97

SHA256
e4c63925214f673d5c5d1401ba3d1f8ac3cee7386774d8fb453dda04e9195d2f

SHA512
5bfdddc3eede83086080765bf2531e31c6a7f132e49ef2e5b36489dcac45b0c7fa5d51cb6079a7abd0a50adb503b31d3eece205df06eb28ac1eb7ec602331074

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
323a678521e8ef32b9e9f8e180cead5d

SHA1
bd77796b1743a6b1109d83dc11c5e8e72f0a266f

SHA256
0221bfb63cb24470152ffa96f2408b87288ddf9e4cbdddfada3b6c4fba67b3b9

SHA512
c9a93136f77027daa25e2bffa467605fc479df198304fd7cef1262de1513ebd936677ab1fde72d0cdcb0b19405f4e664db12fe2c47359bd54c671b72eedd9ea5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
840d6fd8ce2b15b1f00c1be0e0fc8fcc

SHA1
caa94d6c69b028ff38676c7156d6cf77d1a394f6

SHA256
ae251c33d0d9658c3cd1e17ccde9fdd5f53144f4f4344f85bffb3423888656c8

SHA512
eac821b5de319efd76b4377461342bb220b3e9cb3feeca2074101bb203f702f3d74f5e0ac89c2bd717b500ff6fcb8c973291b049f8da22b49e7237522baa4ad9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a51330277403d71f535b588396585a22

SHA1
2610c6f9344678f88426d467521bae3ad8011800

SHA256
ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb

SHA512
5e99fcdc97b7faab7cd34c2409b69337857f03c1068e4dff5237abcb3185749a4f96610504b85868dcdef7983c109813d60e15743cccf89d97725721b5129ed1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
a51330277403d71f535b588396585a22

SHA1
2610c6f9344678f88426d467521bae3ad8011800

SHA256
ff43f8c60af996a8b2c8a5b9d047370f28ef3c7ba1683b7043a3e736b761b4bb

SHA512
5e99fcdc97b7faab7cd34c2409b69337857f03c1068e4dff5237abcb3185749a4f96610504b85868dcdef7983c109813d60e15743cccf89d97725721b5129ed1

Download Submit
memory/368-180-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/368-134-0x0000000002FD0000-0x00000000038BB000-memory.dmp

Filesize
8.9MB

Download
memory/368-155-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/976-280-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/976-281-0x000000006FF20000-0x000000006FF6C000-memory.dmp

Filesize
304KB

Download
memory/976-269-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/976-268-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/976-292-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

Filesize
64KB

Download
memory/976-282-0x00000000706E0000-0x0000000070A34000-memory.dmp

Filesize
3.3MB

Download
memory/2348-345-0x000000007FBD0000-0x000000007FBE0000-memory.dmp

Filesize
64KB

Download
memory/2348-331-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2348-332-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2348-333-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/2348-334-0x00000000705D0000-0x0000000070924000-memory.dmp

Filesize
3.3MB

Download
memory/2348-335-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/2444-208-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2444-265-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2472-305-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2472-304-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2472-318-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

Filesize
64KB

Download
memory/2472-317-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2472-307-0x0000000070240000-0x0000000070594000-memory.dmp

Filesize
3.3MB

Download
memory/2472-306-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/2836-174-0x0000000007D10000-0x0000000007D1E000-memory.dmp

Filesize
56KB

Download
memory/2836-153-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/2836-136-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/2836-135-0x0000000003020000-0x0000000003056000-memory.dmp

Filesize
216KB

Download
memory/2836-172-0x0000000007D70000-0x0000000007E06000-memory.dmp

Filesize
600KB

Download
memory/2836-137-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/2836-139-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/2836-140-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/2836-146-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/2836-151-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/2836-152-0x0000000007790000-0x00000000077D4000-memory.dmp

Filesize
272KB

Download
memory/2836-173-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

Filesize
64KB

Download
memory/2836-154-0x0000000007930000-0x00000000079A6000-memory.dmp

Filesize
472KB

Download
memory/2836-171-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/2836-157-0x0000000005350000-0x000000000536A000-memory.dmp

Filesize
104KB

Download
memory/2836-158-0x0000000007B80000-0x0000000007BB2000-memory.dmp

Filesize
200KB

Download
memory/2836-159-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

Filesize
304KB

Download
memory/2836-160-0x0000000070040000-0x0000000070394000-memory.dmp

Filesize
3.3MB

Download
memory/2836-170-0x0000000007B60000-0x0000000007B7E000-memory.dmp

Filesize
120KB

Download
memory/2836-179-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/2836-156-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/2836-176-0x0000000007D50000-0x0000000007D58000-memory.dmp

Filesize
32KB

Download
memory/2836-175-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/2836-138-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/3760-456-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-319-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-352-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-413-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-447-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-395-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-477-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-404-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3760-465-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3836-222-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/3836-210-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3836-211-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3836-233-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3836-223-0x0000000070760000-0x0000000070AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3836-234-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/4156-251-0x000000007F310000-0x000000007F320000-memory.dmp

Filesize
64KB

Download
memory/4156-250-0x0000000070780000-0x0000000070AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-248-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/4156-247-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/4156-246-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/4156-249-0x0000000004630000-0x0000000004640000-memory.dmp

Filesize
64KB

Download
memory/4524-205-0x000000007F9B0000-0x000000007F9C0000-memory.dmp

Filesize
64KB

Download
memory/4524-193-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/4524-195-0x0000000070780000-0x0000000070AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-183-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/4524-182-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/4524-194-0x000000006FFC0000-0x000000007000C000-memory.dmp

Filesize
304KB

Download
memory/4548-388-0x0000000074630000-0x000000007465A000-memory.dmp

Filesize
168KB

Download
memory/4548-402-0x0000000074250000-0x0000000074551000-memory.dmp

Filesize
3.0MB

Download
memory/4548-403-0x0000000074200000-0x000000007424D000-memory.dmp

Filesize
308KB

Download
memory/4548-401-0x0000000074560000-0x0000000074622000-memory.dmp

Filesize
776KB

Download
memory/4548-405-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-400-0x0000000074630000-0x000000007465A000-memory.dmp

Filesize
168KB

Download
memory/4548-399-0x0000000074660000-0x0000000074700000-memory.dmp

Filesize
640KB

Download
memory/4548-398-0x0000000074980000-0x000000007499E000-memory.dmp

Filesize
120KB

Download
memory/4548-439-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-397-0x0000000074700000-0x00000000747C1000-memory.dmp

Filesize
772KB

Download
memory/4548-448-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-396-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-457-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-389-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-469-0x0000000000240000-0x000000000068E000-memory.dmp

Filesize
4.3MB

Download
memory/4548-387-0x0000000074700000-0x00000000747C1000-memory.dmp

Filesize
772KB

Download