Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-x3v4sach7z
Target 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
SHA256 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2

Threat Level: Known bad

The file 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:23

Reported

2024-04-17 19:26

Platform

win10v2004-20240412-en

Max time kernel

151s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 32 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 32 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\system32\cmd.exe
PID 3944 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3944 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2088 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\rss\csrss.exe
PID 2088 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\rss\csrss.exe
PID 2088 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe C:\Windows\rss\csrss.exe
PID 1764 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2908 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 2588 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1764 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1764 wrote to memory of 4972 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3212 wrote to memory of 2932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 2932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 2932 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2932 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2932 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 363d3e39-6744-4735-9dc4-be29a295cc25.uuid.realupdate.ru udp
US 8.8.8.8:53 server8.realupdate.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server8.realupdate.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server8.realupdate.ru tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
BG 185.82.216.96:443 server8.realupdate.ru tcp

Files

memory/32-1-0x0000000004D80000-0x0000000005181000-memory.dmp

memory/32-2-0x0000000005190000-0x0000000005A7B000-memory.dmp

memory/32-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/32-4-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4956-5-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/4956-6-0x0000000004750000-0x0000000004786000-memory.dmp

memory/32-7-0x0000000004D80000-0x0000000005181000-memory.dmp

memory/4956-9-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/4956-8-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/4956-10-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/4956-11-0x0000000004D30000-0x0000000004D52000-memory.dmp

memory/4956-12-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/4956-13-0x00000000054D0000-0x0000000005536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y50e5hju.2rp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-19-0x00000000056C0000-0x0000000005A14000-memory.dmp

memory/4956-24-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/4956-25-0x0000000005E00000-0x0000000005E4C000-memory.dmp

memory/32-26-0x0000000000400000-0x000000000310E000-memory.dmp

memory/32-27-0x0000000005190000-0x0000000005A7B000-memory.dmp

memory/4956-28-0x0000000006330000-0x0000000006374000-memory.dmp

memory/4956-29-0x00000000023A0000-0x00000000023B0000-memory.dmp

memory/4956-30-0x00000000070B0000-0x0000000007126000-memory.dmp

memory/4956-31-0x00000000077B0000-0x0000000007E2A000-memory.dmp

memory/4956-32-0x0000000007050000-0x000000000706A000-memory.dmp

memory/4956-33-0x000000007F280000-0x000000007F290000-memory.dmp

memory/4956-34-0x00000000072A0000-0x00000000072D2000-memory.dmp

memory/4956-35-0x000000006FE10000-0x000000006FE5C000-memory.dmp

memory/4956-36-0x0000000070B80000-0x0000000070ED4000-memory.dmp

memory/4956-46-0x0000000007280000-0x000000000729E000-memory.dmp

memory/4956-47-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/4956-48-0x00000000073C0000-0x00000000073CA000-memory.dmp

memory/4956-49-0x0000000007480000-0x0000000007516000-memory.dmp

memory/4956-50-0x0000000007400000-0x0000000007411000-memory.dmp

memory/32-51-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4956-52-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/4956-53-0x0000000007560000-0x000000000756E000-memory.dmp

memory/4956-54-0x0000000007570000-0x0000000007584000-memory.dmp

memory/4956-55-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4956-56-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/4956-59-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/32-60-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2088-62-0x0000000004D60000-0x000000000515E000-memory.dmp

memory/2088-63-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4292-64-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/4292-65-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4292-66-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4292-76-0x0000000005C30000-0x0000000005F84000-memory.dmp

memory/4292-77-0x0000000006120000-0x000000000616C000-memory.dmp

memory/4292-79-0x000000006FF10000-0x000000006FF5C000-memory.dmp

memory/4292-78-0x000000007F350000-0x000000007F360000-memory.dmp

memory/4292-80-0x0000000070090000-0x00000000703E4000-memory.dmp

memory/4292-90-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/4292-91-0x00000000075C0000-0x00000000075D1000-memory.dmp

memory/4292-92-0x0000000007610000-0x0000000007624000-memory.dmp

memory/4292-95-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/2088-96-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4972-98-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/4972-99-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/2088-100-0x0000000004D60000-0x000000000515E000-memory.dmp

memory/4972-110-0x0000000005AD0000-0x0000000005E24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5f18fc1337b2e71bd711b85630e505d9
SHA1 a032c9bf94a2151bebf68e1e7d104535ebbbdcf2
SHA256 c67ea676aa67732d0c4daa64c26f07e8ca49f6f20968ce780f17f3b775959861
SHA512 80f5fff38957d0f2e07b85993cfb423f99965e7fa38f18de6e297767b2b4aaef4b3cb4563ad044a36183c3b47ac9386ec9d359b4a0845a56d387909df750e696

memory/4972-112-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

memory/4972-113-0x000000006FF10000-0x000000006FF5C000-memory.dmp

memory/4972-114-0x00000000700B0000-0x0000000070404000-memory.dmp

memory/2088-124-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4972-125-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

memory/4972-127-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/2088-128-0x0000000000400000-0x000000000310E000-memory.dmp

memory/884-129-0x0000000074010000-0x00000000747C0000-memory.dmp

memory/884-130-0x0000000000A30000-0x0000000000A40000-memory.dmp

memory/884-131-0x0000000000A30000-0x0000000000A40000-memory.dmp

memory/884-132-0x0000000005500000-0x0000000005854000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dcbd71d1544fb2b6ab48ca9d275425a4
SHA1 bf5972cd3b409dcd1520942861fba02578d271e9
SHA256 69ed09b3a578419dd8764351b43eb44a33bd32367622e951c53259a8f57862d2
SHA512 bac67c106085902c6bec19e19b6c5077e4e0f32be48a49fc24273d93cd791ef1f4ed014b9e790f7be07d639762583389b4650e7bc7172fe3ae03b520b6fcde33

memory/2088-155-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 12c28f325f6710cebe89796872aba437
SHA1 992472d2b130f9a0a419b5982e11f62dda05c79c
SHA256 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
SHA512 95d68893354c01f4743b4989103c0d0f56949bdc8e7d58a59be4e19850a68a93c7067c6c12d9cd61ad89a250ce51f6217179bf79acb342d4c7c587d28fb41a0e

memory/2088-161-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1153fb129e8f7d17e5f3017ab85d39d6
SHA1 cb3f908d11e58b6690816af196dc07cc99d211db
SHA256 f8d8446264f9ed8a5f20f9dc5cba7f014b19a8a9e72b742644a9822063adb69a
SHA512 53f225d63fb3e20dea9d137ee5498c7e8ca2ffb0fbd3a48664de57be5ac7f38754e8c5987ec0da94aa05707d7cc8f7e291b66041a224edc4fd7dc5b7590932f9

memory/1764-199-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c262d4f0b2be04611989bf9aeb97a469
SHA1 644349b74f25c6c62341deb48e393b7a4774e632
SHA256 19896933848d25eb16ca43ad26a059abba450ffa873d13cbe1f7ca1571047a2d
SHA512 f40a9bf9442987c3e2219ed8280e3923f9bed4d68ed6498a3e77ef5953f119d66a1c7bdaf8c9765d4288c0a11a5f21ca0e3e0980dbac8359ef6689184f490944

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90a9c3383958fc6062268c257fe1f6e6
SHA1 a320f3c0fdff50ab354089c5240b1d4c6c2df824
SHA256 c6fd55c7c125a6ae4c9e695f4791fc0d8d73350fa0c61ad6eb771222c8cfc550
SHA512 93bcaf3910083874718eacc9f71dd2d2cf9f0d8161128370fe22a13e340af2a4513d40d7780b679f10c518a441e9c0a73405152eb65b36eb70bd780ced125b0f

memory/1764-246-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1764-266-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3212-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1764-274-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3004-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1764-276-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1764-278-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3004-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1764-280-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:23

Reported

2024-04-17 19:25

Platform

win11-20240412-en

Max time kernel

4s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe

"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5187d1ce-4d41-4111-97c2-3ca8c23330bc.uuid.realupdate.ru udp
US 8.8.8.8:53 server13.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server13.realupdate.ru tcp
BG 185.82.216.96:443 server13.realupdate.ru tcp
BG 185.82.216.96:443 server13.realupdate.ru tcp

Files

memory/8-1-0x0000000004E10000-0x0000000005217000-memory.dmp

memory/8-2-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/8-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2652-4-0x0000000002F40000-0x0000000002F76000-memory.dmp

memory/2652-5-0x0000000073DB0000-0x0000000074561000-memory.dmp

memory/2652-6-0x0000000005830000-0x0000000005E5A000-memory.dmp

memory/2652-7-0x0000000003150000-0x0000000003160000-memory.dmp

memory/2652-8-0x0000000003150000-0x0000000003160000-memory.dmp

memory/2652-9-0x0000000005550000-0x0000000005572000-memory.dmp

memory/2652-10-0x0000000005700000-0x0000000005766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmkedz1l.yqy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2652-11-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/2652-20-0x0000000005EF0000-0x0000000006247000-memory.dmp

memory/2652-21-0x0000000006410000-0x000000000642E000-memory.dmp

memory/2652-22-0x0000000006470000-0x00000000064BC000-memory.dmp

memory/2652-23-0x00000000069D0000-0x0000000006A16000-memory.dmp

memory/2652-26-0x0000000070020000-0x000000007006C000-memory.dmp

memory/2652-25-0x0000000007850000-0x0000000007884000-memory.dmp

memory/2652-24-0x000000007F590000-0x000000007F5A0000-memory.dmp

memory/2652-36-0x0000000007890000-0x00000000078AE000-memory.dmp

memory/2652-38-0x0000000003150000-0x0000000003160000-memory.dmp

memory/2652-37-0x00000000078B0000-0x0000000007954000-memory.dmp

memory/2652-27-0x00000000701A0000-0x00000000704F7000-memory.dmp

memory/2652-40-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/2652-39-0x0000000008020000-0x000000000869A000-memory.dmp

memory/2652-41-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/2652-42-0x0000000007B20000-0x0000000007BB6000-memory.dmp

memory/2652-43-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/2652-44-0x0000000007A80000-0x0000000007A8E000-memory.dmp

memory/2652-45-0x0000000007A90000-0x0000000007AA5000-memory.dmp

memory/2652-46-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/2652-47-0x0000000007B00000-0x0000000007B08000-memory.dmp

memory/2652-50-0x0000000073DB0000-0x0000000074561000-memory.dmp

memory/8-51-0x0000000000400000-0x000000000310E000-memory.dmp

memory/8-52-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/1520-54-0x0000000004E10000-0x0000000005215000-memory.dmp

memory/1520-55-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/2872-57-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/2872-58-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/1520-56-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2872-59-0x0000000005E90000-0x00000000061E7000-memory.dmp

memory/2872-60-0x0000000073E50000-0x0000000074601000-memory.dmp

memory/2872-69-0x0000000006540000-0x000000000658C000-memory.dmp

memory/2872-82-0x00000000073E0000-0x0000000007484000-memory.dmp

memory/2872-81-0x0000000002C00000-0x0000000002C10000-memory.dmp

memory/2872-72-0x0000000070380000-0x00000000706D7000-memory.dmp

memory/2872-71-0x0000000070130000-0x000000007017C000-memory.dmp

memory/2872-70-0x000000007F670000-0x000000007F680000-memory.dmp

memory/2872-83-0x0000000007920000-0x0000000007931000-memory.dmp

memory/2872-84-0x0000000007970000-0x0000000007985000-memory.dmp

memory/2872-87-0x0000000073E50000-0x0000000074601000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4604-89-0x0000000073E50000-0x0000000074601000-memory.dmp

memory/4604-91-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4604-90-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4604-92-0x0000000006290000-0x00000000065E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ec42b5c78e8cdf76a145ff640522548b
SHA1 2f5997d20cdcaaa75e0ae4bdd738ae481168a6c5
SHA256 2ed0d5610e74f5820b6296690fcf3ec0df1a5ddb1a8463f1041cc36b1b7a273c
SHA512 710b3c5af8493d189ac6013bfcf27fcc0497125b50d409f208436d428a0f898fb490256b7ad84ada9ca577d2ebc9d7edf6dd935b1f5a3a226459573d1096f7a8

memory/1520-113-0x0000000004E10000-0x0000000005215000-memory.dmp

memory/4604-115-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4604-114-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/4604-104-0x0000000070340000-0x0000000070697000-memory.dmp

memory/4604-103-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4604-102-0x000000007F040000-0x000000007F050000-memory.dmp

memory/4604-117-0x0000000073E50000-0x0000000074601000-memory.dmp

memory/2272-118-0x0000000073E50000-0x0000000074601000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f89931f572de7f7d918aa55f16ebcba8
SHA1 ed51ba725dcc0bd5b1034bacfc5022e5e591ce6a
SHA256 57b37f39749daeb5f738b7a4ac6b86e074561b04d51fbc4e787c6fae1ce323a4
SHA512 74ac208cc2b4cf02242dca4f5821dd0db790ed2244552519c2d2c926fe3ba4564f26853a77a9757911b9efe7b9d17c198d931a9cb65eae9414689f00e83c4fbb

memory/2272-129-0x0000000004870000-0x0000000004880000-memory.dmp

memory/2272-120-0x0000000005630000-0x0000000005987000-memory.dmp

memory/2272-119-0x0000000004870000-0x0000000004880000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 12c28f325f6710cebe89796872aba437
SHA1 992472d2b130f9a0a419b5982e11f62dda05c79c
SHA256 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
SHA512 95d68893354c01f4743b4989103c0d0f56949bdc8e7d58a59be4e19850a68a93c7067c6c12d9cd61ad89a250ce51f6217179bf79acb342d4c7c587d28fb41a0e

memory/1520-149-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f22ccf55ed36e223539d909a2eeee0a5
SHA1 d38796b61f927ba986381ff03df2e1b238125a33
SHA256 cfcc97e5e683c80630a3f74d2c26e649aee2f414f158921ca0350298c78a5b9a
SHA512 a8b16adc704a4e191482b24bc0dcc4c418912c5d227f027ae5625011a66a9b73b2beafb56060c617cc09679cce78a809b99189d496b8ccb96476bf324cec5f2c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1032e327a0c33321e1ca13e43dba3491
SHA1 3afcd5cd5213332e33b7d02b9ee537b6b5b7bfbc
SHA256 995e0246f313d05f26c0171142d0c5d8bf41dd299ca0ba2496db21d184f3ed66
SHA512 aa0b12f493875e1dccb440955566f7f29fdb0a0ffd2074bede81be90b4139782332f68aef415926ab98510a0224125815d45f65216d00dba2aefcda316609ed2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 495d2bf1f56e3cbd50b68565c1711d97
SHA1 7ddca8d09b67e862d1aad62f6676b102a0b5cb48
SHA256 e7ee05df3ab63f7f297eaaf54cd35ec01555110c862530bbc64ff067e303c801
SHA512 4e3b86392c4a670248808b79f49faa78b4eac921febadacff570c8768ff0c85140d36655a0616e7537ae680b37eb86b0405926ffef610ea7caef754e437c5a69

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1868-248-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3340-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1868-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1812-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1868-259-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1812-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1868-263-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-265-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-267-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1868-279-0x0000000000400000-0x000000000310E000-memory.dmp