Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-xscvfscd9x
Target 6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1
SHA256 6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1

Threat Level: Known bad

The file 6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:06

Reported

2024-04-17 19:09

Platform

win10v2004-20240412-en

Max time kernel

161s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3924 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3604 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2676 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\rss\csrss.exe
PID 2676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\rss\csrss.exe
PID 2676 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe C:\Windows\rss\csrss.exe
PID 1180 wrote to memory of 1280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 1280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 1280 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 2760 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 4772 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1180 wrote to memory of 1668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1180 wrote to memory of 1668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4660 wrote to memory of 4572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4572 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4572 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4572 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 2f1aa1a4-9eeb-410b-9b4d-2d5895e7f1df.uuid.localstats.org udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server2.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server2.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
BG 185.82.216.111:443 server2.localstats.org tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/3924-1-0x0000000004E50000-0x0000000005257000-memory.dmp

memory/3924-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/3924-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/516-4-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/516-5-0x0000000002710000-0x0000000002720000-memory.dmp

memory/516-6-0x0000000002740000-0x0000000002776000-memory.dmp

memory/516-7-0x0000000004EE0000-0x0000000005508000-memory.dmp

memory/516-8-0x0000000004E40000-0x0000000004E62000-memory.dmp

memory/516-9-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/516-10-0x00000000056F0000-0x0000000005756000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3y13kt1.txt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/516-20-0x0000000005760000-0x0000000005AB4000-memory.dmp

memory/516-21-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

memory/516-22-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/516-23-0x0000000006300000-0x0000000006344000-memory.dmp

memory/3924-24-0x0000000000400000-0x000000000310E000-memory.dmp

memory/516-25-0x00000000070F0000-0x0000000007166000-memory.dmp

memory/516-26-0x0000000002710000-0x0000000002720000-memory.dmp

memory/516-27-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/516-28-0x0000000007170000-0x000000000718A000-memory.dmp

memory/3924-29-0x0000000004E50000-0x0000000005257000-memory.dmp

memory/516-31-0x0000000007330000-0x0000000007362000-memory.dmp

memory/516-30-0x000000007F900000-0x000000007F910000-memory.dmp

memory/516-32-0x0000000070060000-0x00000000700AC000-memory.dmp

memory/516-33-0x00000000705E0000-0x0000000070934000-memory.dmp

memory/516-43-0x0000000007310000-0x000000000732E000-memory.dmp

memory/516-44-0x0000000007370000-0x0000000007413000-memory.dmp

memory/516-45-0x0000000007460000-0x000000000746A000-memory.dmp

memory/516-46-0x0000000007520000-0x00000000075B6000-memory.dmp

memory/516-47-0x0000000007480000-0x0000000007491000-memory.dmp

memory/516-48-0x00000000074C0000-0x00000000074CE000-memory.dmp

memory/516-49-0x00000000074D0000-0x00000000074E4000-memory.dmp

memory/516-50-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/516-51-0x0000000007500000-0x0000000007508000-memory.dmp

memory/516-54-0x00000000741C0000-0x0000000074970000-memory.dmp

memory/3924-55-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3924-56-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/2676-58-0x0000000004E40000-0x0000000005242000-memory.dmp

memory/2676-59-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2416-61-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/2416-60-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/2416-62-0x0000000074260000-0x0000000074A10000-memory.dmp

memory/2416-72-0x0000000005820000-0x0000000005B74000-memory.dmp

memory/2416-73-0x0000000006010000-0x000000000605C000-memory.dmp

memory/2416-74-0x00000000028B0000-0x00000000028C0000-memory.dmp

memory/2416-75-0x0000000070160000-0x00000000701AC000-memory.dmp

memory/2416-76-0x0000000070900000-0x0000000070C54000-memory.dmp

memory/2416-86-0x00000000070B0000-0x0000000007153000-memory.dmp

memory/2416-87-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/2676-88-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2416-89-0x0000000007410000-0x0000000007424000-memory.dmp

memory/2416-92-0x0000000074260000-0x0000000074A10000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2676-94-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2676-95-0x0000000004E40000-0x0000000005242000-memory.dmp

memory/4944-96-0x0000000074260000-0x0000000074A10000-memory.dmp

memory/4944-98-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4944-97-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4944-108-0x00000000065B0000-0x0000000006904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba217346b9673c8463842ad8c4813ef0
SHA1 9518cba14131e1d499472a11f4d89e947f08fcf2
SHA256 2b696fe54a2ab82cae79b0089a1e5bcefa089e923ee1d348bba2dfd3f0bddca6
SHA512 855aace1e25c74379a684732587a4ef3149a6486bfd1a17361ece202d7d2cd3978664fc3184dfcc59b04dd77f14aff5fcfa23681d4a8faebfaa701c06007b956

memory/4944-110-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/4944-111-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/4944-112-0x0000000070160000-0x00000000701AC000-memory.dmp

memory/4944-113-0x00000000702E0000-0x0000000070634000-memory.dmp

memory/4944-124-0x0000000074260000-0x0000000074A10000-memory.dmp

memory/4740-125-0x0000000074260000-0x0000000074A10000-memory.dmp

memory/4740-126-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/4740-127-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/4740-133-0x0000000005C70000-0x0000000005FC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c40eccfa90554b8826f9cd5dcbe43af
SHA1 629e349ad02385f19e6a7073ba9d49d1753f2d50
SHA256 cb3f249e2aa172024a528ce1671222a2c33a3ad783c15331ccaf39f9523ea299
SHA512 bd01b0f2744ca412e3ea67a60b577e04567c5cfde51f7ddbb23c3c5a9c7989880d7913ba0549a0ac63bd97c688922706b7d71b451ae17fc6f7b79cbb96718958

memory/4740-139-0x0000000004E20000-0x0000000004E30000-memory.dmp

memory/4740-140-0x0000000070160000-0x00000000701AC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 064ed882f2f65436f878975e2016a90b
SHA1 17d7fc2b5bc1f142479f66b6768c73306e4eb48a
SHA256 6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1
SHA512 507cfc1f1ab91b9f033746f8091427e3842366e8f257f36a1d3dce88ad2aa6d268869518222b5bd32a6c7bd6b251a1c9623ba465b083de37fefd1a71b1f8ed79

memory/2676-158-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3a50a9fae755f5d10536a0bb0d280243
SHA1 c055117951cbc9bef067acfdd4506eddb0bbb695
SHA256 6d169c3cd045097cc53c07efb42d154180061a9b2bd2f17810e98d1297680531
SHA512 e89bcad13f48055ecaec99b7d4f1808504f0f15baa90cc30ebfdeab63acc3181293cd5d1b2e5b2b0dd6975a013c8dca767b7871799181a02282f3bd79d914be7

memory/1180-195-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66fa6e7fcc50a60a7987ee330a99f7cd
SHA1 7d9c353bc9e39b1e85750fed4c7d62b3b6f7f2a4
SHA256 7ccf503ae93635b9c820792054effef8bdf12547588df39e0a89134e35b97b15
SHA512 d89013413c29a80e76f2cce891618630da8b841de276743cd4484497f3333a67e44fdd9265e554f5cc979a1ce75312aace64a382b3cb2f1999338eb3510265e0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f86c980e22ac1bd0897f490116a6167f
SHA1 e1f67cafa6b73fcf5c93a9747b58e547ca12d6a7
SHA256 da2999b93ab04859feb8a6f2226035c2357651a38b8543248e0c3faf825a7c47
SHA512 54a17645ce62eb91f06624d962b7036e30fb2da4b7ff20e0a42749438e8cc9fce1da8beff9ba81ca447e581a6c9213b3a05a07a680fda1f65c11d7824096fc77

memory/1180-257-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1180-268-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4660-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1180-274-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1100-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1180-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1180-280-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1100-281-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1180-283-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1180-286-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1180-289-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:06

Reported

2024-04-17 19:09

Platform

win11-20240412-en

Max time kernel

1s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe

"C:\Users\Admin\AppData\Local\Temp\6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 29eb0c6a-20cc-429f-9054-407c95015843.uuid.localstats.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server9.localstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.localstats.org tcp
US 52.111.227.13:443 tcp
BG 185.82.216.111:443 server9.localstats.org tcp
BG 185.82.216.111:443 server9.localstats.org tcp

Files

memory/2968-1-0x0000000004F50000-0x0000000005350000-memory.dmp

memory/2968-2-0x0000000005350000-0x0000000005C3B000-memory.dmp

memory/2968-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4744-4-0x0000000002250000-0x0000000002286000-memory.dmp

memory/4744-6-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/4744-8-0x0000000004E80000-0x00000000054AA000-memory.dmp

memory/4744-7-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/4744-5-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/4744-9-0x0000000004B80000-0x0000000004BA2000-memory.dmp

memory/4744-11-0x0000000004E10000-0x0000000004E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dib0tpxs.u45.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4744-10-0x0000000004C30000-0x0000000004C96000-memory.dmp

memory/4744-20-0x0000000005570000-0x00000000058C7000-memory.dmp

memory/4744-21-0x0000000005A50000-0x0000000005A6E000-memory.dmp

memory/4744-22-0x0000000005A90000-0x0000000005ADC000-memory.dmp

memory/4744-23-0x0000000005FC0000-0x0000000006006000-memory.dmp

memory/4744-27-0x0000000070FA0000-0x00000000712F7000-memory.dmp

memory/4744-38-0x0000000006F50000-0x0000000006FF4000-memory.dmp

memory/4744-37-0x0000000002790000-0x00000000027A0000-memory.dmp

memory/4744-39-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/4744-40-0x0000000007070000-0x000000000708A000-memory.dmp

memory/4744-36-0x0000000006F30000-0x0000000006F4E000-memory.dmp

memory/4744-41-0x00000000070B0000-0x00000000070BA000-memory.dmp

memory/4744-26-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/4744-25-0x0000000006EF0000-0x0000000006F24000-memory.dmp

memory/4744-42-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/4744-24-0x000000007FC40000-0x000000007FC50000-memory.dmp

memory/4744-43-0x00000000070D0000-0x00000000070E1000-memory.dmp

memory/4744-44-0x0000000007120000-0x000000000712E000-memory.dmp

memory/4744-46-0x0000000007180000-0x000000000719A000-memory.dmp

memory/4744-45-0x0000000007130000-0x0000000007145000-memory.dmp

memory/4744-47-0x00000000071A0000-0x00000000071A8000-memory.dmp

memory/4744-50-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/1960-52-0x0000000004E10000-0x000000000520B000-memory.dmp

memory/1960-53-0x0000000005210000-0x0000000005AFB000-memory.dmp

memory/1960-62-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2968-63-0x0000000004F50000-0x0000000005350000-memory.dmp

memory/3252-64-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/3252-65-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/3252-66-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3252-67-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3252-68-0x0000000070FA0000-0x00000000712F7000-memory.dmp

memory/3252-77-0x00000000076E0000-0x0000000007784000-memory.dmp

memory/3252-80-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/3252-79-0x0000000002C40000-0x0000000002C50000-memory.dmp

memory/2968-78-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3252-81-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/3252-82-0x0000000007A60000-0x0000000007A75000-memory.dmp

memory/3252-85-0x0000000074BB0000-0x0000000075361000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2228-87-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/2228-90-0x0000000001260000-0x0000000001270000-memory.dmp

memory/2228-89-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/2228-88-0x0000000001260000-0x0000000001270000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fd4349773bbc67f99a1bcb3df3ec75be
SHA1 73bf4ce42981bcc5a41be37442ad0eb0a0e58a06
SHA256 b1c71b8cac90fabce44ccbaf03883c8d5c51b75344f34cf481567fbd872dcdca
SHA512 737192483167d02e0d80a0fcaa8c57f40f4159f33ec8154d02a30e0211e35fad7d61107fa620216453a162f0a4fcd3897c371a672d88cb31df20cd8f57dbcebb

memory/2228-101-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/1960-111-0x0000000004E10000-0x000000000520B000-memory.dmp

memory/2228-102-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/2228-100-0x000000007F040000-0x000000007F050000-memory.dmp

memory/2228-113-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/3444-116-0x0000000002830000-0x0000000002840000-memory.dmp

memory/3444-117-0x0000000002830000-0x0000000002840000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b28c3c7151e89106578e95b656b38740
SHA1 54b90df62b43047925c99d5d49345ea6c9cf42c5
SHA256 64b135595c23720874e9711db92c2fbb99e7a633e8c3107afb75a30d2be3ff4a
SHA512 7ba099ac207d1b895314e7dd4dc54e769f1a70b6099285628da5f1339745fc5fd52a4c270e47bdcfe7dc5cbc8de334385739858aac7632bd9a93460ecf38f0e6

memory/3444-115-0x0000000074BB0000-0x0000000075361000-memory.dmp

memory/1960-127-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3444-130-0x0000000071070000-0x00000000713C7000-memory.dmp

memory/3444-128-0x000000007F550000-0x000000007F560000-memory.dmp

memory/3444-129-0x0000000070E20000-0x0000000070E6C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 064ed882f2f65436f878975e2016a90b
SHA1 17d7fc2b5bc1f142479f66b6768c73306e4eb48a
SHA256 6c0e9b80ad0aa476b430ed152146326a7f1278f7ab0e6d7e53030d830f0faab1
SHA512 507cfc1f1ab91b9f033746f8091427e3842366e8f257f36a1d3dce88ad2aa6d268869518222b5bd32a6c7bd6b251a1c9623ba465b083de37fefd1a71b1f8ed79

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bcf3b06e396947c16ecf7356d5a518a1
SHA1 2e2d2cb2033d9783ee5b910c78b93ee99e2ef563
SHA256 09926a1b056e235c29fd8d52fa8d628769aca3055aabc494ca1f022247c0d13c
SHA512 486a7a985569ffc146cef2d9a465aed55342fbea954d347c2b7d35a9f06eea85d58a0a4b765313dad056b5618540731403e02bcb9442cce2a88732aec12ec627

memory/1960-172-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1c799c31bf4df06d6d001f6dc7b9808
SHA1 3c57824f86b37104fd0a367cd6cddd62d5ca24af
SHA256 bafcbb8fca7dbd701fd8f38dbe3dc83692dabfb88c60daabfddc9963fc69e3b7
SHA512 324929d0cba1999d6f4125755ce9ee939a6adae356cedbad89b0ddba47ed5e768a2ba7b050631c82624f17e3cfa67faf05980fccdda9a3c38e53e8febfff436f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d29f927755ddd6a19fff249f48cc278
SHA1 4e0728a8a5a3dbdadabe17870487fe5a3f9ccf4f
SHA256 e828a6c14ff0dd1398ce9f49185764d3827dbec1821f8e8e5f95602d68100226
SHA512 af475951263a3ea0a740ed3f81b704b94a78a388714d8fb05201bdbe7cd3d6da64861a94a51d4c614d510bf4c8b46277946e76c40c00d8a1744fc2e1246f2f09

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4876-238-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3036-246-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4876-249-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1148-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4876-253-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1148-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4876-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-265-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-285-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-289-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4876-293-0x0000000000400000-0x000000000310E000-memory.dmp