Malware Analysis Report

2025-08-06 03:32

Sample ID 240419-rel83sec49
Target 24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1
SHA256 24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1
Tags
glupteba discovery dropper evasion loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1

Threat Level: Known bad

The file 24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 14:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 14:06

Reported

2024-04-19 14:09

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2232 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1608 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 1608 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 1608 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 632 wrote to memory of 2676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2676 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2620 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2384 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 632 wrote to memory of 2236 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 632 wrote to memory of 2236 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3348 wrote to memory of 1520 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1520 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1520 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1520 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1520 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1300 -ip 1300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 2576

C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ab460146-8bed-4363-ab36-7f902a387c10.uuid.alldatadump.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server7.alldatadump.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server7.alldatadump.org tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
BG 185.82.216.108:443 server7.alldatadump.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server7.alldatadump.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:31465 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/1244-1-0x0000000003B80000-0x0000000003F82000-memory.dmp

memory/1244-2-0x0000000003F90000-0x000000000487B000-memory.dmp

memory/1244-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1300-5-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1300-4-0x0000000002770000-0x00000000027A6000-memory.dmp

memory/1300-6-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1300-7-0x00000000051A0000-0x00000000057C8000-memory.dmp

memory/1300-8-0x00000000050A0000-0x00000000050C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40ipnwfd.waa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1300-9-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/1300-15-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/1300-20-0x0000000005CD0000-0x0000000006024000-memory.dmp

memory/1300-21-0x0000000006070000-0x000000000608E000-memory.dmp

memory/1300-22-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/1300-23-0x00000000065D0000-0x0000000006614000-memory.dmp

memory/1300-24-0x00000000073A0000-0x0000000007416000-memory.dmp

memory/1300-25-0x0000000007AA0000-0x000000000811A000-memory.dmp

memory/1300-26-0x0000000007420000-0x000000000743A000-memory.dmp

memory/1300-28-0x00000000075E0000-0x0000000007612000-memory.dmp

memory/1300-27-0x000000007FD20000-0x000000007FD30000-memory.dmp

memory/1300-29-0x0000000070720000-0x000000007076C000-memory.dmp

memory/1300-30-0x00000000708A0000-0x0000000070BF4000-memory.dmp

memory/1300-40-0x0000000007620000-0x000000000763E000-memory.dmp

memory/1300-41-0x0000000007640000-0x00000000076E3000-memory.dmp

memory/1300-42-0x0000000007730000-0x000000000773A000-memory.dmp

memory/1300-43-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1244-44-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1608-46-0x0000000003960000-0x0000000003D67000-memory.dmp

memory/1244-47-0x0000000003F90000-0x000000000487B000-memory.dmp

memory/1608-48-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1040-51-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/1040-50-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/1040-49-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/1040-61-0x0000000006020000-0x0000000006374000-memory.dmp

memory/1040-62-0x0000000006730000-0x000000000677C000-memory.dmp

memory/1040-63-0x000000007F150000-0x000000007F160000-memory.dmp

memory/1040-64-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1040-65-0x0000000070FB0000-0x0000000071304000-memory.dmp

memory/1040-76-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/1040-75-0x0000000007940000-0x00000000079E3000-memory.dmp

memory/1040-77-0x0000000007D30000-0x0000000007DC6000-memory.dmp

memory/1040-78-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/1040-79-0x0000000007C90000-0x0000000007C9E000-memory.dmp

memory/1040-80-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

memory/1040-81-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

memory/1040-82-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

memory/1040-85-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1536-87-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/1536-88-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/1536-89-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/1536-99-0x0000000005EC0000-0x0000000006214000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d1d73796067487e267a4caee703d96a
SHA1 8b2b3217fe1a22256025e70ffbd8b86d86138f18
SHA256 5d3426d10b2c324b4df307be8b5cd3fa648a31f7e9eef3dd9c9194a0f2fd962b
SHA512 321b32d80a9769337c9c81227721295fddbfebda51f7737f389fc8136a1c8db87300dd50192e24d7a0c29ab5d70aa59693422e74b827545c6cf92616f85452b8

memory/1536-101-0x000000007F820000-0x000000007F830000-memory.dmp

memory/1536-103-0x00000000709A0000-0x0000000070CF4000-memory.dmp

memory/1536-102-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1536-114-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/1536-113-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/1536-116-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/3244-119-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/3244-118-0x0000000004C60000-0x0000000004C70000-memory.dmp

memory/3244-117-0x0000000074920000-0x00000000750D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 753f7ff62904218cb37892b188920d2d
SHA1 0bfd01283f70a5cb1b9386ff2273618141346a70
SHA256 a26e1cc9dc6d647e52c8d86230bd4c1cf5eaf2acc60266af58eb273cd5233122
SHA512 afe09fad9d46ce447b302a1356176dfac2aebb38c87115c4b9f04ac1eefaf3ce939191111ce813c86ac9e10ccecea806b69a52d43ad303fb400ddc0c66ea8e7e

memory/3244-133-0x0000000070FB0000-0x0000000071304000-memory.dmp

memory/3244-132-0x000000007FC50000-0x000000007FC60000-memory.dmp

memory/1608-131-0x0000000003960000-0x0000000003D67000-memory.dmp

memory/3244-130-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1608-143-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3244-144-0x0000000004C60000-0x0000000004C70000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db2f86f571ecd23acdff760266048eb2
SHA1 20d81819908f0e38b41c8070fd2b301e4524420c
SHA256 24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1
SHA512 0b55c35492c38a7815aa805c5e660f67fc085681f6068a2449a0d005171a9db60c29af08d71f209bdea5765919be2ea826c5d38edcc02104d6aebd05e2f78ee5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f6659a51c8e066cf753bd0ea2810303
SHA1 97314254e53894fa6d6338d8065f6d52f95bd423
SHA256 76f32d1e2cc894f89cc6b310083916319cf6a826869b1a788ad01bbf7b322cfe
SHA512 ba4c56fa67fd7f43b2e27d4cb5e48e42de10f67b98ed51cbe72daa2055291c48b8074e6257a32eeeb8eb6ded2afb2ee405323d724da47bc3db0e3cddf9fcc53f

memory/1608-168-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e86f61ff20a61dd8fae084a418a0bba3
SHA1 f2349c3ad9c967f12a01e07f389184a52fb93d1f
SHA256 35a8d7df83fffff3827f78970b6dd699ecf1f3e9a3b20a478a2068939c47aad5
SHA512 b9e9a3dcbaf3e59ee8bbc1334d2acd658c90143d654005dd43f3892d4efb30ae801df2640be99903522d1bf2be754e9cdd9646916553d602a781e28fd015f5ab

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99f6c7ba43eaeea6c06d619602220959
SHA1 e4ccf469f2b1232d39b1a0d41f26906c7b66cc08
SHA256 888bb797c29c22052f394bab317da74760d26e8b10de60b521cdd60d136a5948
SHA512 ae890ce6f0e66368524f231fb892b34f2a6bdd71dbf434caa3454b1595fdd9e490331009400c9815e334d48572df984c356552820a5319c15a90069627f3f34e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/632-254-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3348-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/632-265-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3244-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/632-268-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-271-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/3244-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/632-274-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-276-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-279-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-283-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-286-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-289-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-292-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-294-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/632-297-0x0000000000400000-0x0000000001DFD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 14:06

Reported

2024-04-19 14:09

Platform

win11-20240412-en

Max time kernel

26s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 576 wrote to memory of 4108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2760 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 2760 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 2760 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe C:\Windows\rss\csrss.exe
PID 1000 wrote to memory of 2812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 2812 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 3128 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 4216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 4216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 4216 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1000 wrote to memory of 4200 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1000 wrote to memory of 4200 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe

"C:\Users\Admin\AppData\Local\Temp\24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 ed09f645-7d24-466a-a2a2-94135a69e612.uuid.alldatadump.org udp

Files

memory/3616-1-0x0000000003C40000-0x000000000403D000-memory.dmp

memory/3616-2-0x0000000004040000-0x000000000492B000-memory.dmp

memory/3616-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/1824-4-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

memory/1824-5-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/1824-7-0x00000000052F0000-0x000000000591A000-memory.dmp

memory/1824-6-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1824-8-0x00000000050D0000-0x00000000050F2000-memory.dmp

memory/1824-9-0x0000000005170000-0x00000000051D6000-memory.dmp

memory/1824-10-0x0000000005920000-0x0000000005986000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hn5kvnwx.awd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1824-19-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/1824-20-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/1824-21-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/1824-22-0x0000000006560000-0x00000000065A6000-memory.dmp

memory/1824-23-0x000000007FD70000-0x000000007FD80000-memory.dmp

memory/1824-24-0x0000000007440000-0x0000000007474000-memory.dmp

memory/1824-25-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/1824-26-0x0000000070DC0000-0x0000000071117000-memory.dmp

memory/1824-35-0x0000000007480000-0x000000000749E000-memory.dmp

memory/1824-36-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

memory/1824-37-0x00000000074A0000-0x0000000007544000-memory.dmp

memory/1824-38-0x0000000007C10000-0x000000000828A000-memory.dmp

memory/1824-39-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/1824-40-0x0000000007600000-0x000000000760A000-memory.dmp

memory/1824-41-0x0000000007710000-0x00000000077A6000-memory.dmp

memory/1824-42-0x0000000007630000-0x0000000007641000-memory.dmp

memory/1824-43-0x0000000007670000-0x000000000767E000-memory.dmp

memory/1824-44-0x0000000007680000-0x0000000007695000-memory.dmp

memory/1824-45-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/1824-46-0x00000000076F0000-0x00000000076F8000-memory.dmp

memory/1824-49-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/2760-51-0x0000000003B10000-0x0000000003F0F000-memory.dmp

memory/2760-52-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/3616-53-0x0000000003C40000-0x000000000403D000-memory.dmp

memory/2760-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2544-55-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/2544-56-0x0000000005070000-0x0000000005080000-memory.dmp

memory/2544-57-0x0000000005070000-0x0000000005080000-memory.dmp

memory/2544-66-0x0000000005F10000-0x0000000006267000-memory.dmp

memory/3616-67-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/2544-68-0x000000007FA70000-0x000000007FA80000-memory.dmp

memory/2544-69-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/2544-70-0x0000000070D50000-0x00000000710A7000-memory.dmp

memory/2544-80-0x0000000005070000-0x0000000005080000-memory.dmp

memory/2544-79-0x0000000007660000-0x0000000007704000-memory.dmp

memory/2544-81-0x0000000005070000-0x0000000005080000-memory.dmp

memory/2544-82-0x0000000007980000-0x0000000007991000-memory.dmp

memory/2544-83-0x00000000079D0000-0x00000000079E5000-memory.dmp

memory/2544-86-0x0000000074940000-0x00000000750F1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3928-89-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3928-99-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3928-98-0x0000000006400000-0x0000000006757000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 326f0c5195e01f8ec963875ba97f045b
SHA1 3a0906c357f0c61d08629a38b721080ce507e1ae
SHA256 160dacec2d2a743b126708fa304fa110d574dad6b90acd1ba93c0b51dc6084c3
SHA512 09aee4ceb8d0003ba000b0eec9ca415a5734c96c52dd3bebbd23a0cf67a7d110a7e07aa61042b99c4383e11b2a226b6e88a07fb29f04b713d87ab5e10fd0a7bf

memory/3928-100-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3928-102-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

memory/3928-104-0x0000000070D30000-0x0000000071087000-memory.dmp

memory/2760-113-0x0000000003B10000-0x0000000003F0F000-memory.dmp

memory/3928-114-0x00000000055A0000-0x00000000055B0000-memory.dmp

memory/3928-103-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3928-116-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3568-117-0x0000000074940000-0x00000000750F1000-memory.dmp

memory/3568-118-0x0000000005810000-0x0000000005B67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3e85e86f9fa69abb8c39da76c0e2800
SHA1 2fef36c3a8446ce0a8487123a292f279bc0828e4
SHA256 44b24fee6dfb19df4025fcd4f18e08e5e76ad7ffc2b436844fe655ff3e625869
SHA512 ef6fac6e843af61debbd07ae67bdaa4a5b6eb61997a4f2c4bc024bd8f9edae89394de0957930109f8627af014cf5d4ec5e0906ba379836912fc3966e9a8c201b

memory/3568-128-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3568-129-0x000000007FA50000-0x000000007FA60000-memory.dmp

memory/3568-130-0x0000000070E00000-0x0000000071157000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 db2f86f571ecd23acdff760266048eb2
SHA1 20d81819908f0e38b41c8070fd2b301e4524420c
SHA256 24ce1558c06ac29acaca9b8294ec91f231f05834aafe6139e195b0f65c2a91f1
SHA512 0b55c35492c38a7815aa805c5e660f67fc085681f6068a2449a0d005171a9db60c29af08d71f209bdea5765919be2ea826c5d38edcc02104d6aebd05e2f78ee5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84b3512e2105d2d9ad38dae0ca35955f
SHA1 44b64ba3b0f72162117cb2071046f8b3c0613cab
SHA256 967b2285ab597c3661867ccaf6b4a135e87ac44de91d9b8581059ae470ba214e
SHA512 53ec4dd7ebaae824c63cb4cb4ce8387fdf9ec65635de7bd088ed5635eb7aa0a5dfce1a32ad338076d9877f5715f5fdec96b0e7962e4994b90f66681d90063207

memory/2760-175-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 32ca4a209f22f4d2e7aa36eaf9299a9f
SHA1 5ce01f77805850e223956043540a87676c2b9327
SHA256 074c17b7761caa6edceb2f355fd09e99e5b1daa1a91f5d19d87f0ec7fad799e3
SHA512 a36694b36aba745a9e9e95f8ea44bb9eb33fd435a6de6d8a4dc881606edc6e45c79ad3250888be46bb0d6ae96bd3b473e745d11be9964961d29c50ac8df2aae9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff7cd97e0100c140bb8e8a26a32c7b93
SHA1 a80728b33042cdab51d975211f2b0ea6b3bee688
SHA256 817b2e918719cfc517fb6fb5a90cde8d42e2b296e52811685a25cb4a3a02909f
SHA512 21cf290183e74cc3a36bf4ddb623b982282e5518326f9b7582555ed54c39cdddeb36ec32b070fff546a37da7aa30ba33412bcec20470834588e3ea1c59945923

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1000-242-0x0000000000400000-0x0000000001DFD000-memory.dmp