Malware Analysis Report

2025-08-10 17:21

Sample ID 240417-xwtmdacf4y
Target b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c
SHA256 b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c

Threat Level: Known bad

The file b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:12

Reported

2024-04-17 19:15

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4388 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\System32\Conhost.exe
PID 4324 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\System32\Conhost.exe
PID 4324 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\System32\Conhost.exe
PID 4324 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\system32\cmd.exe
PID 4324 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2848 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4324 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\rss\csrss.exe
PID 4324 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\rss\csrss.exe
PID 4324 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe C:\Windows\rss\csrss.exe
PID 3616 wrote to memory of 440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 440 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 1576 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3616 wrote to memory of 3052 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2028 wrote to memory of 4408 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 4408 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 4408 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4408 wrote to memory of 4364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 11.58.22.2.in-addr.arpa udp
US 8.8.8.8:53 50caeeb0-3a71-4d64-aa13-f58bb05dab70.uuid.allstatsin.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server13.allstatsin.ru udp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server13.allstatsin.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/4388-1-0x0000000004E40000-0x0000000005247000-memory.dmp

memory/4388-2-0x0000000005250000-0x0000000005B3B000-memory.dmp

memory/4388-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4496-4-0x00000000046B0000-0x00000000046E6000-memory.dmp

memory/4496-5-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/4496-7-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/4496-8-0x0000000004E30000-0x0000000005458000-memory.dmp

memory/4496-6-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/4496-9-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k1mwewkk.jba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4496-11-0x0000000005510000-0x0000000005576000-memory.dmp

memory/4496-21-0x0000000005680000-0x00000000059D4000-memory.dmp

memory/4496-10-0x0000000004D40000-0x0000000004DA6000-memory.dmp

memory/4496-23-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

memory/4496-22-0x0000000005C60000-0x0000000005C7E000-memory.dmp

memory/4496-24-0x00000000061C0000-0x0000000006204000-memory.dmp

memory/4496-25-0x0000000006F90000-0x0000000007006000-memory.dmp

memory/4496-27-0x0000000007030000-0x000000000704A000-memory.dmp

memory/4496-26-0x0000000007690000-0x0000000007D0A000-memory.dmp

memory/4496-29-0x00000000071E0000-0x0000000007212000-memory.dmp

memory/4496-43-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/4496-42-0x0000000007240000-0x00000000072E3000-memory.dmp

memory/4496-41-0x0000000007220000-0x000000000723E000-memory.dmp

memory/4496-44-0x0000000007330000-0x000000000733A000-memory.dmp

memory/4496-31-0x0000000070230000-0x0000000070584000-memory.dmp

memory/4496-30-0x000000006FE60000-0x000000006FEAC000-memory.dmp

memory/4496-28-0x000000007F440000-0x000000007F450000-memory.dmp

memory/4496-45-0x00000000073F0000-0x0000000007486000-memory.dmp

memory/4496-46-0x0000000007350000-0x0000000007361000-memory.dmp

memory/4496-47-0x0000000007390000-0x000000000739E000-memory.dmp

memory/4496-50-0x00000000073E0000-0x00000000073E8000-memory.dmp

memory/4496-49-0x0000000007490000-0x00000000074AA000-memory.dmp

memory/4496-48-0x00000000073A0000-0x00000000073B4000-memory.dmp

memory/4496-53-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/4324-55-0x0000000004DA0000-0x000000000519D000-memory.dmp

memory/4324-56-0x00000000051A0000-0x0000000005A8B000-memory.dmp

memory/4324-57-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4416-67-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/4416-70-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4416-69-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4388-68-0x0000000004E40000-0x0000000005247000-memory.dmp

memory/4416-71-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/4416-72-0x000000006FE60000-0x000000006FEAC000-memory.dmp

memory/4416-83-0x00000000070D0000-0x0000000007173000-memory.dmp

memory/4416-73-0x000000006FFE0000-0x0000000070334000-memory.dmp

memory/4416-85-0x000000007EE20000-0x000000007EE30000-memory.dmp

memory/4416-87-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4416-86-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4388-84-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4416-88-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/4416-89-0x0000000007420000-0x0000000007434000-memory.dmp

memory/4416-92-0x0000000073FC0000-0x0000000074770000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2036-96-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2036-95-0x0000000004F30000-0x0000000004F40000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7995f895236f64e0b32cca834259a4f0
SHA1 bbc64c556fb6ba9a2068dd29abc195eec8d502b9
SHA256 83427cbb175e24923eff5ef5c5a600d096df757b7e7a3d627627381acbd12479
SHA512 7d3aa9c8aa604dd09a836370041ad66af3763ce754a45699403b2e8db7eb7a65fa8b09e70abb1e60e551b1caf336600f28d1a634f99ce28bdcc8afadf4d8aaa1

memory/2036-94-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/2036-109-0x000000006FFE0000-0x0000000070334000-memory.dmp

memory/2036-119-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2036-108-0x000000006FE60000-0x000000006FEAC000-memory.dmp

memory/2036-107-0x000000007EFF0000-0x000000007F000000-memory.dmp

memory/2036-121-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/1064-124-0x0000000004850000-0x0000000004860000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0a09ddfe2085f510214d199eba1c0a29
SHA1 13ba7922e0d7463d02aaecf8750f88b35cb1abdf
SHA256 8a73cc717c65d9fd31e5147960991b7361c2ec4dd5e10bf8bcb47acd29ac8724
SHA512 5670ad11e743cc2d3cf7cffdb096c76365b4424e74d2f7790682f72a578dadd4c8b57e78b9ba3d06b49d74577bd3ce6232f52277e7933ab2ea6d38036d2c0e7d

memory/1064-134-0x0000000004850000-0x0000000004860000-memory.dmp

memory/4324-123-0x0000000004DA0000-0x000000000519D000-memory.dmp

memory/1064-122-0x0000000073FC0000-0x0000000074770000-memory.dmp

memory/1064-136-0x000000006FE60000-0x000000006FEAC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 61d02b87cb3d952fc8d9ca51a0b8e751
SHA1 84a4a7bfb8f7e602caf373323026c3c5ffe6b8b3
SHA256 b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c
SHA512 cca8bde233d7de0f6f6326f52ef5ce1e1e8c16a0d5a17ff8f22ce5e31589ce5fe0e65d953c3ed2f285c6d80623df24d5b8c84483793ead6693a50e0728e5d483

memory/4324-157-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 40a91476495fcf9c4c4a8dd83450abe3
SHA1 28b47cf43610c0879711ceaecfc1bfe9a6505211
SHA256 b9d7aaa0cb5a0271ecf791b3cf48f25b55e88ac89095e0ecac03d8f19f752689
SHA512 8e9932c21524653c2c4997a38ef5e868f9e5b14b286147dc9658d669f3948bce802b769e48a4abe3fc02c9ee7804d6ff05e1c2cd28ffb8b160ea80376894856c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 785fd17e407d8c72d93f8ae60b381816
SHA1 1b0ba35bf3b3480587e581a69026c922daa51558
SHA256 0c90231502a5f3cac2f250fcf920954ce53b884dabd0e0689a634cef67709272
SHA512 8d10523109c913c6ef7938364c5258a70b1281a0bc61303b25266bf445a59ec185a1a4451593822dfb32651459daf5d0b3228be4151235d4e389cd798b53140d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 498df184a7d706048dd2f346ca5c6a88
SHA1 4ff67fa7c288791b00933bc6ac408c3ad43f42b8
SHA256 b6db5fd30a181a7cb444d7683edbe2c6ac447f56ea3ee9e3ed0b4bde8cd02a12
SHA512 09b53cb4ddd81dcee9869e029cd5f7d181a9088433bf4089cfa6bf10976f18d655d854933babbd703baaa912c7ae394b907e77a21f3d87496198ee8b5f001e11

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3616-258-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2028-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3616-268-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3596-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3616-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-274-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3596-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3616-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-280-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-283-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-286-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-289-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-292-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-295-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-298-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3616-301-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:12

Reported

2024-04-17 19:15

Platform

win11-20240412-en

Max time kernel

1s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe

"C:\Users\Admin\AppData\Local\Temp\b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 eed4ae38-b2b9-4efe-a6dd-6af8eed9fa92.uuid.allstatsin.ru udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 server4.allstatsin.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.104:443 server4.allstatsin.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server4.allstatsin.ru tcp
BG 185.82.216.104:443 server4.allstatsin.ru tcp

Files

memory/4800-1-0x0000000004F70000-0x000000000536E000-memory.dmp

memory/4800-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/4800-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1708-4-0x0000000002790000-0x00000000027C6000-memory.dmp

memory/1708-5-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/1708-7-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/1708-6-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/1708-8-0x0000000005240000-0x000000000586A000-memory.dmp

memory/1708-9-0x00000000050B0000-0x00000000050D2000-memory.dmp

memory/1708-11-0x00000000051D0000-0x0000000005236000-memory.dmp

memory/1708-10-0x0000000005160000-0x00000000051C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yqxwe32.bdm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1708-20-0x0000000005A30000-0x0000000005D87000-memory.dmp

memory/1708-21-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/1708-22-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

memory/1708-23-0x00000000064F0000-0x0000000006536000-memory.dmp

memory/1708-26-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/1708-38-0x0000000007400000-0x00000000074A4000-memory.dmp

memory/1708-37-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/1708-36-0x00000000073E0000-0x00000000073FE000-memory.dmp

memory/1708-27-0x0000000070960000-0x0000000070CB7000-memory.dmp

memory/1708-25-0x00000000073A0000-0x00000000073D4000-memory.dmp

memory/1708-24-0x000000007FDF0000-0x000000007FE00000-memory.dmp

memory/1708-39-0x0000000007B70000-0x00000000081EA000-memory.dmp

memory/1708-40-0x0000000007530000-0x000000000754A000-memory.dmp

memory/1708-41-0x0000000007570000-0x000000000757A000-memory.dmp

memory/1708-42-0x0000000007680000-0x0000000007716000-memory.dmp

memory/1708-43-0x0000000007590000-0x00000000075A1000-memory.dmp

memory/1708-44-0x00000000075E0000-0x00000000075EE000-memory.dmp

memory/1708-45-0x00000000075F0000-0x0000000007605000-memory.dmp

memory/1708-46-0x0000000007640000-0x000000000765A000-memory.dmp

memory/1708-47-0x0000000007660000-0x0000000007668000-memory.dmp

memory/1708-50-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/2332-52-0x0000000004E40000-0x000000000523F000-memory.dmp

memory/2332-53-0x0000000005240000-0x0000000005B2B000-memory.dmp

memory/4920-62-0x0000000005830000-0x0000000005B87000-memory.dmp

memory/2332-63-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4800-64-0x0000000004F70000-0x000000000536E000-memory.dmp

memory/4920-65-0x00000000023B0000-0x00000000023C0000-memory.dmp

memory/4920-66-0x00000000023B0000-0x00000000023C0000-memory.dmp

memory/4920-67-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/4920-68-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/4920-69-0x0000000070950000-0x0000000070CA7000-memory.dmp

memory/4920-78-0x0000000006E90000-0x0000000006F34000-memory.dmp

memory/4800-79-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4920-81-0x00000000023B0000-0x00000000023C0000-memory.dmp

memory/4920-82-0x00000000023B0000-0x00000000023C0000-memory.dmp

memory/4920-80-0x000000007FD60000-0x000000007FD70000-memory.dmp

memory/4920-83-0x00000000071A0000-0x00000000071B1000-memory.dmp

memory/4920-84-0x00000000071F0000-0x0000000007205000-memory.dmp

memory/4920-87-0x0000000074560000-0x0000000074D11000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4960-89-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/4960-91-0x0000000003310000-0x0000000003320000-memory.dmp

memory/4960-90-0x0000000003310000-0x0000000003320000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a1c70941d1c6afcffaea62803a755c6
SHA1 48d29ed24d0fe6052cb634a1acd3f85233a984a9
SHA256 ae50b58c384100978fdaf92ede209be9c03da2fb46f70b1d2f1f89c5afd90c22
SHA512 0c5840ef34e9343dc32554f3adfdfdca05a854bbf84093b2daddd373bd272fec4759631642974c183036ebdd61517de15bf5229de8936e35d2d5db3a308530f3

memory/4960-100-0x0000000006230000-0x0000000006587000-memory.dmp

memory/4960-114-0x0000000003310000-0x0000000003320000-memory.dmp

memory/4960-113-0x0000000003310000-0x0000000003320000-memory.dmp

memory/4960-104-0x00000000709E0000-0x0000000070D37000-memory.dmp

memory/4960-103-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/4960-102-0x000000007F160000-0x000000007F170000-memory.dmp

memory/1696-117-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/1696-119-0x00000000058D0000-0x0000000005C27000-memory.dmp

memory/2332-118-0x0000000004E40000-0x000000000523F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e58f58ddf9758b8c8d78211e489747f9
SHA1 8b0911287712aa9a6f7e5e1b392c420f9b59eaf7
SHA256 41cf77d98fd25511f91814ac93c14fbe4fba7df891f8651e44930f0f895ab6a4
SHA512 fbd1552497db54715d5c195ed420f0c1632bc9ba5d7dd2c273d7ae5a518b590713ccad8d8d9556174710caa1b4e27acdb8e3723e1aa7f6ffb4a1819b84671bb3

memory/4960-116-0x0000000074560000-0x0000000074D11000-memory.dmp

memory/1696-130-0x00000000707D0000-0x000000007081C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 61d02b87cb3d952fc8d9ca51a0b8e751
SHA1 84a4a7bfb8f7e602caf373323026c3c5ffe6b8b3
SHA256 b4ed8237a175ea144f64b71dc85b0b3c042d9797a1b6e6a9b445e4cad34f0a9c
SHA512 cca8bde233d7de0f6f6326f52ef5ce1e1e8c16a0d5a17ff8f22ce5e31589ce5fe0e65d953c3ed2f285c6d80623df24d5b8c84483793ead6693a50e0728e5d483

memory/2332-148-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad840060f73983accf2d8a3e9e9de001
SHA1 e579dd4c4b84dd2c2a2c1bc7ef92a9b17af76dd9
SHA256 08b014027b81b06bfe650264168c2ea09035907dcbe882e9bf652c64ed735c33
SHA512 55b5ae57c45fff861f4ecc8c1651844a88b1dd2ab48327795cd4a2bd0342069c0232a28ddad1c713288621b9b1b3b505fe933b44bbc0aa093006c071c3c07895

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3fc532322346de2db23fa87cf3878c51
SHA1 1345668f33f5b1640c20c8b07df09f39d44d08e6
SHA256 5e9a9c92f8b7e79af489e6b1df4bc27153f43107b7ec2b559d5c72d2cb6ab6da
SHA512 5d3321587596f43f2666b0d1d480b682d201148089f7ee3b2c98149f71727e929b3877a43e88209ea04b443e8fa492eec974f50ac5ee12bf45417cf05429cccc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2bcf48220a79bd58113fd59bcb025c35
SHA1 433667d3d5aa224265711fadfd08e3d34249e915
SHA256 0b4effd29f4018872c879f1060969aaacad447a3d90da5645101f45e1aa6efa4
SHA512 81b63da4b9f8f2aa36559e506d914b4d3ddab5e4be9b4e6b3502faf886315d1e8f3332e0e8f49dd42c174476b4e4b8b7dabd2a775cf88a842ab61c15b7b4a193

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1756-241-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3688-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-251-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3724-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-254-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3724-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-260-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-263-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-266-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-272-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-278-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1756-284-0x0000000000400000-0x000000000310E000-memory.dmp