Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-xrnkkacd61
Target 9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5
SHA256 9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5

Threat Level: Known bad

The file 9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:05

Reported

2024-04-17 19:08

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\system32\cmd.exe
PID 4556 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4556 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\rss\csrss.exe
PID 4308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\rss\csrss.exe
PID 4308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe C:\Windows\rss\csrss.exe
PID 2236 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 3268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 3268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 3268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2044 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2236 wrote to memory of 2044 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3068 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 3092 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3092 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 48.28.101.95.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.58.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 740cc087-de09-4b0e-9711-8fdc718b4567.uuid.datadumpcloud.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.datadumpcloud.org udp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
BG 185.82.216.104:443 server14.datadumpcloud.org tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/2388-1-0x0000000004E60000-0x0000000005268000-memory.dmp

memory/2388-2-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/2388-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/436-4-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/436-5-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/436-6-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/436-7-0x00000000056A0000-0x0000000005CC8000-memory.dmp

memory/436-8-0x0000000005510000-0x0000000005532000-memory.dmp

memory/436-9-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bjjc0hj0.adv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/436-15-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/436-20-0x0000000005F60000-0x00000000062B4000-memory.dmp

memory/436-21-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/436-22-0x0000000006A40000-0x0000000006A8C000-memory.dmp

memory/436-23-0x0000000006970000-0x00000000069B4000-memory.dmp

memory/2388-24-0x0000000000400000-0x000000000310E000-memory.dmp

memory/436-25-0x0000000002F80000-0x0000000002F90000-memory.dmp

memory/436-26-0x00000000076F0000-0x0000000007766000-memory.dmp

memory/436-27-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/436-28-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

memory/2388-30-0x0000000004E60000-0x0000000005268000-memory.dmp

memory/436-31-0x000000006FF70000-0x000000006FFBC000-memory.dmp

memory/436-32-0x000000007EF70000-0x000000007EF80000-memory.dmp

memory/436-29-0x0000000007B10000-0x0000000007B42000-memory.dmp

memory/436-33-0x0000000070350000-0x00000000706A4000-memory.dmp

memory/436-43-0x0000000007AF0000-0x0000000007B0E000-memory.dmp

memory/436-44-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/436-45-0x0000000007C40000-0x0000000007C4A000-memory.dmp

memory/436-46-0x0000000007D00000-0x0000000007D96000-memory.dmp

memory/436-47-0x0000000007C60000-0x0000000007C71000-memory.dmp

memory/436-48-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/436-49-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

memory/436-50-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

memory/436-51-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

memory/2388-52-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/436-55-0x00000000740D0000-0x0000000074880000-memory.dmp

memory/2388-56-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4308-58-0x0000000004D60000-0x0000000005165000-memory.dmp

memory/4308-59-0x0000000005170000-0x0000000005A5B000-memory.dmp

memory/4308-60-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4524-61-0x0000000074170000-0x0000000074920000-memory.dmp

memory/4524-63-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/4524-62-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/4524-73-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/4524-74-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/4524-75-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/4524-77-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

memory/4524-76-0x0000000070070000-0x00000000700BC000-memory.dmp

memory/4524-78-0x00000000701F0000-0x0000000070544000-memory.dmp

memory/4524-88-0x00000000075A0000-0x0000000007643000-memory.dmp

memory/4524-89-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/4524-90-0x0000000007900000-0x0000000007914000-memory.dmp

memory/4524-94-0x0000000074170000-0x0000000074920000-memory.dmp

memory/4308-91-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1088-96-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1088-97-0x0000000005300000-0x0000000005310000-memory.dmp

memory/1088-98-0x00000000060C0000-0x0000000006414000-memory.dmp

memory/4308-108-0x0000000004D60000-0x0000000005165000-memory.dmp

memory/1088-109-0x0000000005300000-0x0000000005310000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c43e3b937176a3cdbfca13b476195145
SHA1 a7188192b848e5775375c679ff2cd8b9f5841036
SHA256 b620e59e9dcf5fd579b088309245bb07b94dabd84045d32467e45e47b3ca38b4
SHA512 b574a5cdf1b1430f29fc31fb50286b7db1f113f61a299ec01b7a792f06e8b209e0dd3006bc8cdea17f370cd50eb56c3bf0c568bea8f2bb0b9ca4c5c8893fef76

memory/4308-111-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1088-112-0x0000000005300000-0x0000000005310000-memory.dmp

memory/1088-113-0x000000007EE10000-0x000000007EE20000-memory.dmp

memory/1088-114-0x0000000070070000-0x00000000700BC000-memory.dmp

memory/1088-115-0x0000000070810000-0x0000000070B64000-memory.dmp

memory/4308-125-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1088-127-0x0000000074170000-0x0000000074920000-memory.dmp

memory/3512-128-0x0000000074170000-0x0000000074920000-memory.dmp

memory/3512-129-0x00000000028C0000-0x00000000028D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d68c844a5ea88d41057abd076315b8f8
SHA1 0a640426d33ff88d2ec3f4ea359bc389033362f3
SHA256 e3f74e2cdc637b13387bd7fa60b40aef641fdc66820d147a1ba941406c9ac483
SHA512 9fddaa8f4987482fc9655ae8faa8d4f15720319bf3c34216b8ed86640faca0256bc3bb988733cf15645e4e381310582ae0688c057a49b312195240b8c0779ef9

memory/3512-140-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/4308-152-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 95c61de23d7a31352055a0e3b9b5d203
SHA1 e139711e6eb5ad3dc013af5ddf06a551b8b675db
SHA256 9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5
SHA512 612e985097f3ee87e59990a5f0a755950315229809eb08d619de6049127905b19a60e919757305195de4b0baf9f21fa3bf84bb1238fc50bd631ff428e5b9a80d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b907f615bc78e9ba0fdc9259ec4070c2
SHA1 066b2cf9b93f0a6069a3c815d6830862e7475bf5
SHA256 ec223ddb202060b35e4cc02baaeb31b73ed2b03e562c19312ad56494fe0f6ba3
SHA512 f5d2cce5eafa455d332edd74e4381aa00ed041a59a1c32021c687b4f70ea4e87db02691a2ff60c397aec136d2c6c817c71ae4f03044869b0036f491883059367

memory/4308-194-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 44bc2a865d41d928d5e97a54a8232d5c
SHA1 d12154e40a1cc845ffbb5915ff43c882bb75b756
SHA256 f161a64eb6a33345d7c8aa0fbb7788e9dc30b4052a41c87a2fcbd424ed7ff372
SHA512 190c5bdf442a743135052d2b4a4759df59875d11a14998a968121818fb93e4ac251e5da6ac397f6150ecea55303dc3e751a236ea177c8c34c7f70240d4fc8fbe

memory/2236-209-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 82ae9ca0b2b5d8ba69ed5ba37e9d35de
SHA1 c8b469f0c9466ce3bfd7abf544d708f2f5dfd6c8
SHA256 183b99bf75e0d96e98d6c4db3a7da893530a0f04160dddf3a79a678d395ff79a
SHA512 6c54ff3eae8e2484764778131698effe0c813027aa808a998a80566f4595e3ff2c0ed2ee29a9a55dde2e84ad53ee1f67518901fe4c9ec4a41beea63f21adb50b

memory/2236-256-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2236-265-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3068-273-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3316-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-278-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2236-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3316-282-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2236-284-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2236-287-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2236-290-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:05

Reported

2024-04-17 19:08

Platform

win11-20240412-en

Max time kernel

1s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe

"C:\Users\Admin\AppData\Local\Temp\9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 05fbd317-50e9-4d19-9f37-136f9b8b50fe.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server13.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp

Files

memory/1408-1-0x0000000004F50000-0x0000000005349000-memory.dmp

memory/1408-2-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1408-3-0x0000000005350000-0x0000000005C3B000-memory.dmp

memory/4016-5-0x0000000002FF0000-0x0000000003026000-memory.dmp

memory/4016-6-0x0000000074C70000-0x0000000075421000-memory.dmp

memory/4016-8-0x0000000005820000-0x0000000005E4A000-memory.dmp

memory/4016-7-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/4016-9-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/4016-10-0x00000000055E0000-0x0000000005602000-memory.dmp

memory/4016-11-0x0000000005E50000-0x0000000005EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdkvo0ud.hrx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4016-12-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/4016-21-0x00000000060B0000-0x0000000006407000-memory.dmp

memory/4016-22-0x0000000006480000-0x000000000649E000-memory.dmp

memory/4016-23-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/4016-24-0x0000000006A30000-0x0000000006A76000-memory.dmp

memory/4016-25-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

memory/4016-37-0x0000000007900000-0x000000000791E000-memory.dmp

memory/4016-28-0x0000000071060000-0x00000000713B7000-memory.dmp

memory/4016-27-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/4016-26-0x00000000078C0000-0x00000000078F4000-memory.dmp

memory/4016-38-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/4016-39-0x0000000007920000-0x00000000079C4000-memory.dmp

memory/4016-41-0x0000000007A40000-0x0000000007A5A000-memory.dmp

memory/4016-40-0x0000000008080000-0x00000000086FA000-memory.dmp

memory/4016-42-0x0000000007A80000-0x0000000007A8A000-memory.dmp

memory/4016-43-0x0000000007B90000-0x0000000007C26000-memory.dmp

memory/4016-44-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

memory/4016-45-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

memory/4016-46-0x0000000007B00000-0x0000000007B15000-memory.dmp

memory/4016-47-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/4016-48-0x0000000007B70000-0x0000000007B78000-memory.dmp

memory/4016-51-0x0000000074C70000-0x0000000075421000-memory.dmp

memory/4072-53-0x0000000004EA0000-0x000000000529A000-memory.dmp

memory/2852-62-0x00000000059A0000-0x0000000005CF7000-memory.dmp

memory/4072-63-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2852-64-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2852-65-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2852-66-0x0000000074C70000-0x0000000075421000-memory.dmp

memory/1408-67-0x0000000004F50000-0x0000000005349000-memory.dmp

memory/2852-68-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/2852-69-0x0000000071080000-0x00000000713D7000-memory.dmp

memory/2852-78-0x0000000007110000-0x00000000071B4000-memory.dmp

memory/1408-79-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2852-82-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2852-81-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2852-80-0x000000007FA80000-0x000000007FA90000-memory.dmp

memory/2852-83-0x0000000007450000-0x0000000007461000-memory.dmp

memory/2852-84-0x00000000074A0000-0x00000000074B5000-memory.dmp

memory/2852-87-0x0000000074C70000-0x0000000075421000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/1644-89-0x0000000074C70000-0x0000000075421000-memory.dmp

memory/1644-90-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1644-91-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1644-97-0x0000000005990000-0x0000000005CE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cfa230b2d72fe640b81d9df7c639a3a
SHA1 03914568cedc0f8a2432d8f09122a25d0231d3c7
SHA256 a81d9f3f42b3c0b66030a41952281c90bec5d320f7a95e8ea46374d7c7db230c
SHA512 c6a25e047c6dcf8901be5df4e8fe37a2c27ad3e163e40a7d58c5967214b54f27f7307bc7cb3bbb3c1345e9a9aecb8eb6b90601f2908cc66a8f054dbecc2095dc

memory/1644-104-0x0000000071130000-0x0000000071487000-memory.dmp

memory/1644-103-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/1644-102-0x000000007F5F0000-0x000000007F600000-memory.dmp

memory/4072-113-0x0000000004EA0000-0x000000000529A000-memory.dmp

memory/1644-115-0x0000000074C70000-0x0000000075421000-memory.dmp

memory/1488-117-0x0000000004920000-0x0000000004930000-memory.dmp

memory/1488-118-0x0000000004920000-0x0000000004930000-memory.dmp

memory/1488-127-0x00000000058E0000-0x0000000005C37000-memory.dmp

memory/1488-116-0x0000000074C70000-0x0000000075421000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dca36bf5fe6b91014af04eb846860895
SHA1 2f357ff8960afd90fa488cb00921e6fc439f2738
SHA256 d8443ea30594c8da86401c7eda0a7ab18966b8a413aa0e1f072e887490937233
SHA512 45678c443d267f0b76701b81717ecfa6a3cb5d0f3616baf87149f25aa8d71295934962e8a3881e64cb36a96c2daa0e59a08ae07a2f98a6a5afda74090f0eaa16

memory/4072-130-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1488-131-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 95c61de23d7a31352055a0e3b9b5d203
SHA1 e139711e6eb5ad3dc013af5ddf06a551b8b675db
SHA256 9c6ca2b1d187bf6c90743a0b5f655380c2f78b0b5b5cc4ae6ff9c570004898f5
SHA512 612e985097f3ee87e59990a5f0a755950315229809eb08d619de6049127905b19a60e919757305195de4b0baf9f21fa3bf84bb1238fc50bd631ff428e5b9a80d

memory/4072-147-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e26a484a769d45a39e5698206f214a2a
SHA1 5f0c62f6d5cca979df07fbe62b5925fb032f21ca
SHA256 012ef9f3fa3aee31d546ceb8af5a297aa61e16a76bc063fbde3a9e441bb7420e
SHA512 bf99bf9ae4ddff5e2b11580ff180ad4e594173babb6de23cf69c0a4373e3a6e6d324322708fed59049c31f68bbe797adec99814d1355dfd47e1b249013427927

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b07e6da38ca65049fe20a0373f16fd2e
SHA1 744636458b37528302e89b05d107fe3dfdb11496
SHA256 c40a6ba6d5467915ac717731ad702ae05dafe557cd50a75b870efec3513f0ec3
SHA512 27276407085fd67dd0d2538be357cec75a0516e41c026a67a5a1364341040cfccc208924f9ced8fddf51f2eb89ce88022c2bd681d907825c152438528c8811b9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 19288f35c75456f142cd245eb9578690
SHA1 f9f1c92c08899043a5c3a8a3bc069254e2e02e7b
SHA256 1d4131cb65c2c94a87ccf8a1111d6cb45ece1381dc5a8615dadd69c4c08c5534
SHA512 b40e302ca6814e5d53db0b36a2d68b43beab580fee0353497ccaf1b5f3b969e5dd4503c261d06b364dcaa7af6814eecd1cc3b209291d78804b3da04ad173a39e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/692-245-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4944-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/692-255-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2376-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/692-258-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2376-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/692-264-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-267-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-270-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-276-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-279-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-282-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-285-0x0000000000400000-0x000000000310E000-memory.dmp

memory/692-288-0x0000000000400000-0x000000000310E000-memory.dmp