Analysis Overview
SHA256
7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
Threat Level: Known bad
The file 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0 was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
Modifies Windows Firewall
UPX packed file
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 19:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 19:07
Reported
2024-04-17 19:11
Platform
win10v2004-20240412-en
Max time kernel
183s
Max time network
179s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.166.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| BE | 2.17.107.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
memory/3472-1-0x0000000004D50000-0x000000000514C000-memory.dmp
memory/3472-2-0x0000000005150000-0x0000000005A3B000-memory.dmp
memory/3472-3-0x0000000000400000-0x000000000310E000-memory.dmp
memory/3472-4-0x0000000000400000-0x000000000310E000-memory.dmp
memory/224-5-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/224-6-0x0000000002B20000-0x0000000002B56000-memory.dmp
memory/224-7-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/224-9-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/224-8-0x0000000005240000-0x0000000005868000-memory.dmp
memory/224-10-0x0000000005140000-0x0000000005162000-memory.dmp
memory/224-11-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/224-12-0x00000000059E0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxcr32pj.00a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3472-18-0x0000000000400000-0x000000000310E000-memory.dmp
memory/3472-19-0x0000000004D50000-0x000000000514C000-memory.dmp
memory/3472-20-0x0000000005150000-0x0000000005A3B000-memory.dmp
memory/224-25-0x0000000005C90000-0x0000000005FE4000-memory.dmp
memory/224-26-0x0000000006400000-0x000000000641E000-memory.dmp
memory/224-28-0x0000000006420000-0x000000000646C000-memory.dmp
memory/224-29-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/224-30-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/224-32-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/224-33-0x0000000006980000-0x00000000069C4000-memory.dmp
memory/224-34-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/224-35-0x0000000007680000-0x00000000076F6000-memory.dmp
memory/3472-36-0x0000000000400000-0x000000000310E000-memory.dmp
memory/224-37-0x0000000007D80000-0x00000000083FA000-memory.dmp
memory/224-38-0x0000000007720000-0x000000000773A000-memory.dmp
memory/224-41-0x00000000078E0000-0x0000000007912000-memory.dmp
memory/224-42-0x00000000702D0000-0x000000007031C000-memory.dmp
memory/224-43-0x0000000070470000-0x00000000707C4000-memory.dmp
memory/224-53-0x00000000078C0000-0x00000000078DE000-memory.dmp
memory/224-54-0x0000000007920000-0x00000000079C3000-memory.dmp
memory/224-55-0x0000000007A10000-0x0000000007A1A000-memory.dmp
memory/224-56-0x0000000002B90000-0x0000000002BA0000-memory.dmp
memory/3472-57-0x0000000000400000-0x000000000310E000-memory.dmp
memory/224-59-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/224-60-0x00000000077B0000-0x00000000077C1000-memory.dmp
memory/224-65-0x00000000077E0000-0x00000000077EE000-memory.dmp
memory/224-66-0x0000000007A20000-0x0000000007A34000-memory.dmp
memory/224-67-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
memory/224-68-0x0000000007A90000-0x0000000007A98000-memory.dmp
memory/224-71-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3676-73-0x0000000004D10000-0x000000000510B000-memory.dmp
memory/3676-74-0x0000000005110000-0x00000000059FB000-memory.dmp
memory/3676-75-0x0000000000400000-0x000000000310E000-memory.dmp
memory/1092-76-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/1092-77-0x0000000005FD0000-0x0000000006324000-memory.dmp
memory/3472-87-0x0000000000400000-0x000000000310E000-memory.dmp
memory/1092-88-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/1092-89-0x00000000702D0000-0x000000007031C000-memory.dmp
memory/1092-90-0x0000000070A50000-0x0000000070DA4000-memory.dmp
memory/1092-100-0x0000000007810000-0x00000000078B3000-memory.dmp
memory/1092-101-0x0000000007B30000-0x0000000007B41000-memory.dmp
memory/3676-102-0x0000000000400000-0x000000000310E000-memory.dmp
memory/1092-104-0x0000000007B80000-0x0000000007B94000-memory.dmp
memory/1092-107-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3676-108-0x0000000004D10000-0x000000000510B000-memory.dmp
memory/3676-109-0x0000000000400000-0x000000000310E000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/472-112-0x00000000024B0000-0x00000000024C0000-memory.dmp
memory/472-111-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/472-113-0x00000000024B0000-0x00000000024C0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a4982d32a3ca38343d43169532cb8d75 |
| SHA1 | fc4ec5996220ccefbd4ad8e1db89715240777be3 |
| SHA256 | 9ab381714df549e4934fde8a44a3d85f55c8e951e01c4b5454845f901176c005 |
| SHA512 | 233af13709428eb883faccb55da2505d04a82b87b481a5107ea32e1e004919f2e46035a6067e86f04f796692817ff4a30c949ce2339700ba242564f19d929278 |
memory/3676-124-0x0000000000400000-0x000000000310E000-memory.dmp
memory/472-125-0x00000000024B0000-0x00000000024C0000-memory.dmp
memory/472-127-0x000000007FCB0000-0x000000007FCC0000-memory.dmp
memory/472-128-0x00000000702D0000-0x000000007031C000-memory.dmp
memory/472-129-0x0000000070A50000-0x0000000070DA4000-memory.dmp
memory/472-140-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3676-141-0x0000000000400000-0x000000000310E000-memory.dmp
memory/3464-142-0x0000000074430000-0x0000000074BE0000-memory.dmp
memory/3464-143-0x0000000005180000-0x0000000005190000-memory.dmp
memory/3464-144-0x0000000005180000-0x0000000005190000-memory.dmp
memory/3464-151-0x00000000060F0000-0x0000000006444000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f69305103db671231c69635575cc8bf2 |
| SHA1 | 8cfae1ba0b4045013f60c01ce53bdf7385e9ebef |
| SHA256 | 697b35215accf0a7faeb66359e6f85ba91562757320ffe82627326fe571e9bc7 |
| SHA512 | 683af2ef7c16ee4b7acd696cffcfb652cdf5741c478a3f13da0d61f2a2a89c46a69eb277d8097b4eb3ccf89bb1c9c399064cd32a996542e89c4b3d93e7b4cf43 |
C:\Windows\rss\csrss.exe
| MD5 | 865849b49fa70dafff6110ff8e6491cc |
| SHA1 | c9d69fb29145b3ecb6ca79e37b17b43c3110869a |
| SHA256 | 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0 |
| SHA512 | efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48 |
memory/3676-178-0x0000000000400000-0x000000000310E000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 03028d324173584ee65bdb549194084e |
| SHA1 | f32b29d0f35cd2d04d4f751eb8733631db7601b9 |
| SHA256 | d4e63e404c173be47ecff6ea7580563e69fe3fc607bd81f0f423c0c11e218371 |
| SHA512 | 0f0f09ed37af3d4277a6e9fd3486c3228ed2b93ca3183d507c65d49e9b4c7aca6a11bd6b0ccbc0f08fe26b72b4071500e5f788a9ce1d55e7b5ece1c3c72fdc81 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 19:07
Reported
2024-04-17 19:10
Platform
win11-20240412-en
Max time kernel
1s
Max time network
150s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a0f8ebed-264b-45d9-bed1-ac18e53e89db.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | server3.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| BG | 185.82.216.108:443 | server3.databaseupgrade.ru | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.108:443 | server3.databaseupgrade.ru | tcp |
| BG | 185.82.216.108:443 | server3.databaseupgrade.ru | tcp |
Files
memory/3612-1-0x0000000004F50000-0x0000000005357000-memory.dmp
memory/3612-2-0x0000000000400000-0x000000000310E000-memory.dmp
memory/3612-3-0x0000000005360000-0x0000000005C4B000-memory.dmp
memory/3732-4-0x00000000046B0000-0x00000000046E6000-memory.dmp
memory/3732-5-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/3732-8-0x0000000004770000-0x0000000004780000-memory.dmp
memory/3732-7-0x0000000004DB0000-0x00000000053DA000-memory.dmp
memory/3732-6-0x0000000004770000-0x0000000004780000-memory.dmp
memory/3732-9-0x00000000053E0000-0x0000000005402000-memory.dmp
memory/3732-10-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/3732-11-0x0000000005560000-0x00000000055C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_no5hbwcy.m0s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3732-20-0x0000000005650000-0x00000000059A7000-memory.dmp
memory/3732-21-0x0000000005B60000-0x0000000005B7E000-memory.dmp
memory/3732-22-0x0000000005C10000-0x0000000005C5C000-memory.dmp
memory/3732-23-0x00000000060F0000-0x0000000006136000-memory.dmp
memory/3732-36-0x0000000006FE0000-0x0000000006FFE000-memory.dmp
memory/3732-38-0x0000000004770000-0x0000000004780000-memory.dmp
memory/3732-37-0x0000000007000000-0x00000000070A4000-memory.dmp
memory/3732-27-0x00000000702F0000-0x0000000070647000-memory.dmp
memory/3732-26-0x0000000070170000-0x00000000701BC000-memory.dmp
memory/3732-40-0x0000000007130000-0x000000000714A000-memory.dmp
memory/3732-39-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/3732-41-0x0000000007170000-0x000000000717A000-memory.dmp
memory/3732-25-0x0000000006FA0000-0x0000000006FD4000-memory.dmp
memory/3732-42-0x0000000007280000-0x0000000007316000-memory.dmp
memory/3732-43-0x0000000007190000-0x00000000071A1000-memory.dmp
memory/3732-24-0x000000007EF90000-0x000000007EFA0000-memory.dmp
memory/3732-44-0x00000000071E0000-0x00000000071EE000-memory.dmp
memory/3732-45-0x00000000071F0000-0x0000000007205000-memory.dmp
memory/3732-46-0x0000000007240000-0x000000000725A000-memory.dmp
memory/3732-47-0x0000000007260000-0x0000000007268000-memory.dmp
memory/3732-50-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/1932-52-0x0000000004E50000-0x000000000524B000-memory.dmp
memory/3184-58-0x0000000006160000-0x00000000064B7000-memory.dmp
memory/1932-62-0x0000000000400000-0x000000000310E000-memory.dmp
memory/3184-63-0x0000000003130000-0x0000000003140000-memory.dmp
memory/3184-64-0x0000000003130000-0x0000000003140000-memory.dmp
memory/3184-65-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/3184-66-0x0000000070170000-0x00000000701BC000-memory.dmp
memory/3184-67-0x0000000070380000-0x00000000706D7000-memory.dmp
memory/3612-77-0x0000000004F50000-0x0000000005357000-memory.dmp
memory/3184-78-0x0000000003130000-0x0000000003140000-memory.dmp
memory/3184-76-0x0000000007890000-0x0000000007934000-memory.dmp
memory/3184-79-0x0000000007BE0000-0x0000000007BF1000-memory.dmp
memory/3184-80-0x0000000007C30000-0x0000000007C45000-memory.dmp
memory/3184-83-0x0000000073F00000-0x00000000746B1000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 38dbf7dbb3278921f4a5446f68aa99e5 |
| SHA1 | 7db5c41e13fc4dd19dfa652ed95bac547ba462de |
| SHA256 | cd6ee0734fc2fceeda198578495c3ce068ac6e8c8530d38822677ebbf9441814 |
| SHA512 | 435d3db24b80bf19a0fadd754eadb19cff6c47f24926ee32b6971b2f56d74d16116b79ba64228497181a1819d945f43424c6ac84e4ebff778923538d0bc5ad5e |
memory/3612-94-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2480-96-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2480-97-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2480-95-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/2480-99-0x0000000070170000-0x00000000701BC000-memory.dmp
memory/2480-100-0x00000000702F0000-0x0000000070647000-memory.dmp
memory/2480-110-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2480-109-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2480-98-0x000000007F450000-0x000000007F460000-memory.dmp
memory/4728-114-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/1932-115-0x0000000004E50000-0x000000000524B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 411e50ac7a160e451e7cdefa91d2c92c |
| SHA1 | 47d4c00eeb02f2a5521ce5c9a54ae199aa1dd304 |
| SHA256 | 029c2c4a387463a51d5aef6e9a38e4fc2e362c07100501fb0b1719fb4487d18d |
| SHA512 | 2aa69ec47e50d00502eea1d5952bef86bd7f6c9586f5cacca63bf9a1cb69f0ae3ac6a743d576378360c88042ad36239d8783b0cec37e35deb4ec39d3eb67ac49 |
memory/4728-113-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/2480-112-0x0000000073F00000-0x00000000746B1000-memory.dmp
memory/1932-125-0x0000000000400000-0x000000000310E000-memory.dmp
memory/4728-128-0x00000000702F0000-0x0000000070647000-memory.dmp
memory/4728-127-0x0000000070170000-0x00000000701BC000-memory.dmp
memory/4728-138-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4728-137-0x000000007F9A0000-0x000000007F9B0000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 865849b49fa70dafff6110ff8e6491cc |
| SHA1 | c9d69fb29145b3ecb6ca79e37b17b43c3110869a |
| SHA256 | 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0 |
| SHA512 | efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 499b3517e8e47921a22d1585b5dba342 |
| SHA1 | 57a29f41b747bfb64eb4e669880a23cf7ce24374 |
| SHA256 | 96956c7a1de3f550343037b943c4a08cdbb247ce309a4501ddf787224f5b0e7c |
| SHA512 | 3a58178eaefe52d05eb686808ae8de12c045dc0feaf1237e956a86833410c9df3cca7643bf6971e922ea9c734471a46a9e8726cf4c8ba70b8e477dfeec3513dd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | eaf8592db0ce8b2cea30a085d83589dd |
| SHA1 | 3de682b4a78247868d7702c7e43b9560cf411992 |
| SHA256 | bead49ef134ce4c300e7999bc458765d77e9486acc7cadcacfa13f41e3aba826 |
| SHA512 | 00ca4bce77331539ebe34dfc8f76753b1a3f44d9a1a2b079f309877ff313583a9caebe09b7cc6d924d8c0bd5c33d30d84dae2e29eadf3c42fa7905f14308f5c1 |
memory/1932-208-0x0000000000400000-0x000000000310E000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 37981230522422bdbe23e02698105b83 |
| SHA1 | 409a89517a54559d657aff43c0ce78e99729fb5d |
| SHA256 | dde991df32541e2db97caedf0cf45c60da5a1e10b629aca4b27f336ac409c523 |
| SHA512 | d8eaa3c8efe5ca2dbae3f5260cc70a87489336ef990f460a6f6de2344b4ebf87fa3069f37cbb0266c034bf7accc45d8805e33d7b5a5faa662c3856874a2fdc63 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2548-242-0x0000000000400000-0x000000000310E000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/956-251-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2548-253-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2708-256-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2548-257-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-261-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2708-264-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2548-265-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-269-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-273-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2708-276-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2548-277-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-281-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-285-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-289-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-293-0x0000000000400000-0x000000000310E000-memory.dmp
memory/2548-297-0x0000000000400000-0x000000000310E000-memory.dmp