Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-wbqjjsee59
Target 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
SHA256 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345

Threat Level: Known bad

The file 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:45

Reported

2024-04-04 17:48

Platform

win10v2004-20240226-en

Max time kernel

182s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\system32\cmd.exe
PID 4128 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\system32\cmd.exe
PID 4940 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4940 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4128 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4240 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 3228 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 2724 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4240 wrote to memory of 316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4240 wrote to memory of 316 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4556 wrote to memory of 4284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 4284 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4284 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 0b1aff74-21d2-43dc-a135-0f8e99c94db7.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server4.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server4.theupdatetime.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp

Files

memory/1620-1-0x0000000004E00000-0x00000000051FE000-memory.dmp

memory/1620-2-0x0000000005200000-0x0000000005AEB000-memory.dmp

memory/1620-3-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4880-4-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/4880-5-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4880-6-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/4880-7-0x00000000052A0000-0x00000000058C8000-memory.dmp

memory/1620-8-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4880-9-0x00000000051B0000-0x00000000051D2000-memory.dmp

memory/4880-10-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/4880-11-0x0000000005A40000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpdm53v2.b3s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4880-21-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/1620-22-0x0000000004E00000-0x00000000051FE000-memory.dmp

memory/4880-23-0x00000000061B0000-0x00000000061CE000-memory.dmp

memory/4880-24-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/1620-26-0x0000000005200000-0x0000000005AEB000-memory.dmp

memory/4880-27-0x0000000006720000-0x0000000006764000-memory.dmp

memory/4880-28-0x00000000072C0000-0x0000000007336000-memory.dmp

memory/4880-29-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/4880-30-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/4880-31-0x0000000007560000-0x000000000757A000-memory.dmp

memory/4880-32-0x000000007FDE0000-0x000000007FDF0000-memory.dmp

memory/4880-33-0x0000000007720000-0x0000000007752000-memory.dmp

memory/4880-34-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4880-35-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/4880-45-0x0000000007700000-0x000000000771E000-memory.dmp

memory/4880-46-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4880-47-0x0000000007760000-0x0000000007803000-memory.dmp

memory/1620-48-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4880-49-0x0000000007870000-0x000000000787A000-memory.dmp

memory/4880-50-0x0000000007930000-0x00000000079C6000-memory.dmp

memory/4880-51-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/4880-52-0x0000000007890000-0x00000000078A1000-memory.dmp

memory/4880-53-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/4880-54-0x00000000078E0000-0x00000000078F4000-memory.dmp

memory/4880-55-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/4880-56-0x0000000007920000-0x0000000007928000-memory.dmp

memory/4880-59-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/1620-60-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/1620-62-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4128-64-0x0000000004D70000-0x0000000005173000-memory.dmp

memory/4128-65-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4128-66-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4444-73-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4444-78-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4444-77-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4444-79-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4444-80-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4444-81-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/4444-91-0x0000000006F60000-0x0000000007003000-memory.dmp

memory/4444-92-0x0000000007260000-0x0000000007271000-memory.dmp

memory/4444-94-0x00000000072D0000-0x00000000072E4000-memory.dmp

memory/4444-97-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4128-98-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4424-100-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4424-101-0x0000000004910000-0x0000000004920000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2aacb4c97807ec5acc8a78871fbf55d8
SHA1 c9ca110b4d579fc105b6934461d6e7ed5bbafebd
SHA256 3d89571246e1fe70114f5c781ccef7a330b835182a3a225522b16b9bc8ebc1c7
SHA512 8b7ef09568d83447f5293709c6e6f491ccda827d3c6da3b62b09a07341bb304091adc9731aa9aec82b70210745e88975a15ea4996ba2804df7c3ce82f859d115

memory/4128-112-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4128-113-0x0000000004D70000-0x0000000005173000-memory.dmp

memory/4424-114-0x0000000004910000-0x0000000004920000-memory.dmp

memory/4424-116-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4424-117-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/4424-127-0x000000007F850000-0x000000007F860000-memory.dmp

memory/4128-128-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4424-130-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4556-131-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4556-132-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/4556-133-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a91981fa9a667963c6cd8b12509f6de9
SHA1 0d3f91bbb1bf5f03c133ad0709bef2afa1172b01
SHA256 d00ef114e614e13ebf41c2f1310f8e10ba28d03432488d9c8c03de43cb6dda8f
SHA512 f8ff2e65069fd46af9ad864f8df1efa38dcde4a4790ef2e85f095a2667e222f2352298115c1425f5c0a493a519667d7f820055094c8596b9824633d0cb8b886e

memory/4556-144-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/4556-146-0x0000000070C70000-0x0000000070CBC000-memory.dmp

memory/4556-147-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/4556-157-0x000000007EF50000-0x000000007EF60000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 26d7d6f179a5a619a78529366f519304
SHA1 b27899e55ffe3a800ea4483346ebec442511ca4f
SHA256 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
SHA512 15b3a0948acacc333f92bf8d31528c4c9140e2b70beaf59627bbfd96415ad9b4a876ed82a33ac2e166971d03c05cc6b66723a76bd4a0d2983446d6a5da0cff26

memory/4128-163-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4240-172-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0859f3946fea905aadba535b34b1168b
SHA1 179489a96c6508558ba9d712ca699b6caecc77d3
SHA256 9f957834b3edd2df544b160d2a62ab9b2fea22e72c80bad51fc0270df52a2adc
SHA512 18fb962f6739707c604f675189c71dc253cb3fba645b5c93c51799b74311406a734e73675e4c41ee5950a74d01ade8321c479181c5256d2dcd02b0b763a5c04f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99845185477f90de8d1e7766f621461b
SHA1 b2ff7537aa0f9e9f79fe62ac059a57c7470d7983
SHA256 aba8f899812590dc72b375d981884207df5ccd4ef4a0936081c38a5742aaca2d
SHA512 48a9d3891e3e937a7cdc650eb284c29a2c80013c7a3714db8ec4bfb22486ba7ac38b46e29cd69083d1792bc39bfc2e274b2cd0c08f4c5ae1a1274b831e4cfdd6

memory/4240-230-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ea2fb27c9c4594996970aeb3a7e2d53b
SHA1 aee9c823f8a4d1c667a11dd36dd5cb21c8f7904c
SHA256 91a1b04c0844a047c582214afced63300328ea469538dd3eb0da2221588fec10
SHA512 810c1417d2199510ad944d7d330ac93d97f6866ef8bef3720c9c2b267eb12dd99d79af2c266808e93876fcf60f9b2cbe98ce700f11a90feda25f297e3039cdcd

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4240-267-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4556-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:45

Reported

2024-04-04 17:47

Platform

win11-20240221-en

Max time kernel

59s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3568 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\system32\cmd.exe
PID 1348 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1348 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4416 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4416 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4416 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe C:\Windows\rss\csrss.exe
PID 4964 wrote to memory of 1932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 1932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 1932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3164 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 2936 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe

"C:\Users\Admin\AppData\Local\Temp\4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 9eed2215-1006-4088-98f9-092abe6123fc.uuid.theupdatetime.org udp

Files

memory/3568-1-0x0000000004F00000-0x00000000052FF000-memory.dmp

memory/3568-2-0x0000000005300000-0x0000000005BEB000-memory.dmp

memory/3568-3-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/936-4-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

memory/936-5-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/936-6-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/936-7-0x0000000005410000-0x0000000005A3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xo1zl4a0.lkk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/936-10-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/936-17-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/936-18-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/936-19-0x0000000005CB0000-0x0000000006007000-memory.dmp

memory/936-20-0x0000000006070000-0x000000000608E000-memory.dmp

memory/936-21-0x0000000006100000-0x000000000614C000-memory.dmp

memory/936-22-0x00000000065B0000-0x00000000065F6000-memory.dmp

memory/936-24-0x000000007F050000-0x000000007F060000-memory.dmp

memory/936-23-0x00000000074E0000-0x0000000007514000-memory.dmp

memory/936-25-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/936-26-0x0000000070740000-0x0000000070A97000-memory.dmp

memory/936-36-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/936-35-0x0000000007540000-0x000000000755E000-memory.dmp

memory/936-37-0x0000000007560000-0x0000000007604000-memory.dmp

memory/936-38-0x0000000007CD0000-0x000000000834A000-memory.dmp

memory/936-39-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/936-40-0x00000000076D0000-0x00000000076DA000-memory.dmp

memory/936-41-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/936-42-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/936-43-0x0000000007740000-0x000000000774E000-memory.dmp

memory/936-44-0x0000000007750000-0x0000000007765000-memory.dmp

memory/936-45-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/936-46-0x0000000007780000-0x0000000007788000-memory.dmp

memory/3568-47-0x0000000004F00000-0x00000000052FF000-memory.dmp

memory/936-50-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/3568-52-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/3568-53-0x0000000005300000-0x0000000005BEB000-memory.dmp

memory/4416-55-0x0000000004D70000-0x0000000005177000-memory.dmp

memory/4416-56-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/1416-57-0x00000000056C0000-0x0000000005A17000-memory.dmp

memory/1416-58-0x0000000002700000-0x0000000002710000-memory.dmp

memory/1416-59-0x0000000002700000-0x0000000002710000-memory.dmp

memory/1416-68-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/1416-69-0x000000007F8F0000-0x000000007F900000-memory.dmp

memory/1416-71-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/1416-70-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/1416-80-0x0000000006DC0000-0x0000000006E64000-memory.dmp

memory/1416-81-0x0000000007110000-0x0000000007121000-memory.dmp

memory/1416-82-0x0000000007160000-0x0000000007175000-memory.dmp

memory/1416-85-0x0000000074350000-0x0000000074B01000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1848-87-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/1848-88-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/1848-89-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 675e5720816c419d3f242b9336c6d1da
SHA1 279fda572c83a43e18526e21c818e6e0110fa83f
SHA256 b851ab3760d8c4878025f5a2ee3486195cf0bb7445952ee68c7d20064ac09935
SHA512 fee1dea7da4d28f9342c9eeb169ab8c52878a24a98978a1dbbd35a54d35548790131f6d8ea2a62a5b142e241e8ad480d9ec158dc72c217126238e7735efe9ac4

memory/1848-99-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/4416-100-0x0000000004D70000-0x0000000005177000-memory.dmp

memory/1848-101-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/4416-102-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/1848-112-0x000000007F970000-0x000000007F980000-memory.dmp

memory/1848-113-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/1848-115-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/1364-116-0x0000000074350000-0x0000000074B01000-memory.dmp

memory/1364-117-0x0000000002D30000-0x0000000002D40000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 11df36e6b4e130a03d4044879e2f62d8
SHA1 880f6effa9fa0be32dc182f930b5b179574f984f
SHA256 0863ced90fd898af9a4789de663a852de7419e311a6de81eaebf40530cd7ad97
SHA512 bcbe5c81462e19f060690c5fc65777afc38943252414146bc346bfccbdc2721aad8d14bf44ada39346143b67fde61f7046b33bdbc98ec4bf4a68db0a5e5cae3e

memory/1364-129-0x0000000070810000-0x0000000070B67000-memory.dmp

memory/1364-128-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/1364-127-0x000000007FB00000-0x000000007FB10000-memory.dmp

memory/1364-139-0x0000000074350000-0x0000000074B01000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 26d7d6f179a5a619a78529366f519304
SHA1 b27899e55ffe3a800ea4483346ebec442511ca4f
SHA256 4f71666e37910508ae2424fd7964a985627d2cb9ab36bfc8e671f4677b636345
SHA512 15b3a0948acacc333f92bf8d31528c4c9140e2b70beaf59627bbfd96415ad9b4a876ed82a33ac2e166971d03c05cc6b66723a76bd4a0d2983446d6a5da0cff26

memory/4416-142-0x0000000000400000-0x0000000002F43000-memory.dmp

memory/4964-147-0x0000000005200000-0x0000000005600000-memory.dmp

memory/4964-148-0x0000000005600000-0x0000000005EEB000-memory.dmp

memory/4964-149-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 83d7edce36f80c5568c35e9cac0af06e
SHA1 54d4c286e79dfd03ee7744d222c467e8c497306d
SHA256 f7319774af409b499c78c08ecd83e62dcccc7b0deb8d2464676aacd77aef01e3
SHA512 e3004ba10b5c7a45b06feeef537a7d65215dc4b64c7db31da8c7cc49fe6758b4043d3abdb169c314b49f5f3fdcbab4d06f44a39299c0116d5db72526bcf58d37

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8dd401d2477a028e5d1f3c9672aa016e
SHA1 30cb98dc7c1559b6435349c2384018db621a5cc4
SHA256 3cedefce48aaf478f48ffb12e200a32d284be113ea75c11b72935b3278994057
SHA512 11528e6e2c0d7be04e2d6a2b817449362c8c4179a3f1ea17eed4c47b70980c03fab47caecfc280f744eaf17ef646484c3e8d55672fb16d6e0dcbac44ef823da3

memory/4964-208-0x0000000000400000-0x0000000002F43000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 901831ad1f7efa67c85283d61f2f8b02
SHA1 4f1b5d05e66398fe2291c7af771816a862043f35
SHA256 d97b98d5beaf9df3c6831c93511e6110c219ba8d7b6fea54896bbd9295fe2917
SHA512 a530598be8d28cb4e5d8d88287110916fb380d6b4c80f5814c190d81240af00bfc3ca617226ded6ff77337572d42fbb16b8f84a9be5bee447bdf1f3548576993