Malware Analysis Report

2025-08-05 12:17

Sample ID 240419-x35m8adc48
Target 3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3
SHA256 3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3
Tags
glupteba dropper evasion loader discovery persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3

Threat Level: Known bad

The file 3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader discovery persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:26

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4076 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\system32\cmd.exe
PID 4368 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2460 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4368 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4368 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4076-1-0x0000000003BE0000-0x0000000003FDA000-memory.dmp

memory/4076-2-0x0000000003FE0000-0x00000000048CB000-memory.dmp

memory/4076-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4076-4-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4076-5-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4076-6-0x0000000003BE0000-0x0000000003FDA000-memory.dmp

memory/3616-7-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/4076-8-0x0000000003FE0000-0x00000000048CB000-memory.dmp

memory/3616-9-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-10-0x0000000003330000-0x0000000003366000-memory.dmp

memory/3616-12-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-13-0x0000000005B50000-0x0000000006178000-memory.dmp

memory/3616-14-0x0000000005920000-0x0000000005942000-memory.dmp

memory/3616-15-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/3616-16-0x00000000062A0000-0x0000000006306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wffhg32f.o4b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3616-26-0x0000000006670000-0x00000000069C4000-memory.dmp

memory/3616-28-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/3616-30-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/3616-31-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-32-0x0000000006A90000-0x0000000006ADC000-memory.dmp

memory/3616-33-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-37-0x0000000006CA0000-0x0000000006CE4000-memory.dmp

memory/3616-38-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-39-0x0000000007C50000-0x0000000007CC6000-memory.dmp

memory/4076-40-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3616-41-0x0000000008410000-0x0000000008A8A000-memory.dmp

memory/3616-42-0x0000000007000000-0x000000000701A000-memory.dmp

memory/3616-43-0x000000007F3F0000-0x000000007F400000-memory.dmp

memory/3616-44-0x0000000007F50000-0x0000000007F82000-memory.dmp

memory/3616-45-0x0000000070790000-0x00000000707DC000-memory.dmp

memory/3616-46-0x0000000070910000-0x0000000070C64000-memory.dmp

memory/3616-56-0x0000000007F10000-0x0000000007F2E000-memory.dmp

memory/3616-57-0x0000000007F90000-0x0000000008033000-memory.dmp

memory/3616-58-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

memory/4076-59-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3616-60-0x0000000008100000-0x0000000008196000-memory.dmp

memory/3616-61-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/3616-62-0x0000000008040000-0x000000000804E000-memory.dmp

memory/3616-63-0x00000000080E0000-0x00000000080F4000-memory.dmp

memory/3616-65-0x00000000034A0000-0x00000000034B0000-memory.dmp

memory/3616-66-0x00000000081C0000-0x00000000081DA000-memory.dmp

memory/3616-67-0x00000000081B0000-0x00000000081B8000-memory.dmp

memory/3616-71-0x00000000748F0000-0x00000000750A0000-memory.dmp

memory/4076-73-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4368-74-0x0000000003AD0000-0x0000000003ED1000-memory.dmp

memory/4368-75-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4864-77-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4864-76-0x0000000074990000-0x0000000075140000-memory.dmp

memory/4864-78-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4864-80-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/4864-89-0x0000000006F10000-0x0000000006F5C000-memory.dmp

memory/4864-90-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4864-91-0x0000000070890000-0x00000000708DC000-memory.dmp

memory/4864-92-0x0000000071030000-0x0000000071384000-memory.dmp

memory/4864-102-0x0000000007BC0000-0x0000000007C63000-memory.dmp

memory/4864-103-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/4864-104-0x0000000007F20000-0x0000000007F34000-memory.dmp

memory/4368-105-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4368-106-0x0000000003AD0000-0x0000000003ED1000-memory.dmp

memory/4864-109-0x0000000074990000-0x0000000075140000-memory.dmp

memory/4368-110-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4368-112-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1132-115-0x0000000003180000-0x0000000003190000-memory.dmp

memory/1132-114-0x0000000074990000-0x0000000075140000-memory.dmp

memory/1132-116-0x0000000003180000-0x0000000003190000-memory.dmp

memory/1132-126-0x0000000006310000-0x0000000006664000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 947f279b831e86e5ff8febd055b0fc2d
SHA1 da01595dfc4ef0de40c1e216a32fe75411f755aa
SHA256 b0c4db7a8ac0b973c8bd4ef34026ac3cb99d81a97153d14fb0e720e8b18d9229
SHA512 28129092de310d30986f62ed6502c9e54ec46fada4d7a2f67ae23fc162cbf7cf0b893462d4a5795b70d8f85983f0944c9d9955772829f4fc294c59bbe2e1fda1

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:26

Platform

win11-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3264 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2308 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2708 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2708 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\rss\csrss.exe
PID 2708 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\rss\csrss.exe
PID 2708 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe C:\Windows\rss\csrss.exe
PID 3680 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2804 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 4072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2268 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3680 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4220 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4220 wrote to memory of 4704 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4704 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4704 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3432 -ip 3432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 2384

C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe

"C:\Users\Admin\AppData\Local\Temp\3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 33cb806b-7b80-423a-84e8-8ab00203dd10.uuid.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.myfastupdate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3264-1-0x0000000003E30000-0x0000000004235000-memory.dmp

memory/3264-2-0x0000000004240000-0x0000000004B2B000-memory.dmp

memory/3264-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3432-4-0x0000000005210000-0x0000000005246000-memory.dmp

memory/3432-5-0x0000000074370000-0x0000000074B21000-memory.dmp

memory/3432-6-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/3432-8-0x0000000005880000-0x0000000005EAA000-memory.dmp

memory/3432-7-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/3432-9-0x00000000057D0000-0x00000000057F2000-memory.dmp

memory/3432-10-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/3432-11-0x0000000006140000-0x00000000061A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5iv4jlq.wtk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3432-20-0x00000000061B0000-0x0000000006507000-memory.dmp

memory/3432-21-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/3432-22-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/3432-23-0x0000000006B00000-0x0000000006B46000-memory.dmp

memory/3432-24-0x000000007FA50000-0x000000007FA60000-memory.dmp

memory/3432-25-0x0000000007AD0000-0x0000000007B04000-memory.dmp

memory/3432-26-0x00000000705E0000-0x000000007062C000-memory.dmp

memory/3432-27-0x0000000070760000-0x0000000070AB7000-memory.dmp

memory/3432-36-0x0000000007B10000-0x0000000007B2E000-memory.dmp

memory/3432-37-0x0000000007B30000-0x0000000007BD4000-memory.dmp

memory/3432-38-0x00000000082A0000-0x000000000891A000-memory.dmp

memory/3432-39-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/3432-40-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

memory/3432-41-0x0000000074370000-0x0000000074B21000-memory.dmp

memory/3264-42-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2708-44-0x00000000039F0000-0x0000000003DF5000-memory.dmp

memory/2708-45-0x0000000003F40000-0x000000000482B000-memory.dmp

memory/2708-46-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1180-47-0x0000000074410000-0x0000000074BC1000-memory.dmp

memory/1180-49-0x0000000005200000-0x0000000005210000-memory.dmp

memory/1180-48-0x0000000005200000-0x0000000005210000-memory.dmp

memory/1180-58-0x00000000060C0000-0x0000000006417000-memory.dmp

memory/1180-59-0x0000000006650000-0x000000000669C000-memory.dmp

memory/1180-61-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/1180-60-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

memory/1180-62-0x0000000070900000-0x0000000070C57000-memory.dmp

memory/1180-72-0x0000000005200000-0x0000000005210000-memory.dmp

memory/1180-73-0x0000000005200000-0x0000000005210000-memory.dmp

memory/1180-71-0x0000000007820000-0x00000000078C4000-memory.dmp

memory/1180-74-0x0000000007C20000-0x0000000007CB6000-memory.dmp

memory/1180-75-0x0000000007B40000-0x0000000007B51000-memory.dmp

memory/1180-76-0x0000000007B80000-0x0000000007B8E000-memory.dmp

memory/1180-77-0x0000000007B90000-0x0000000007BA5000-memory.dmp

memory/1180-78-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/1180-79-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

memory/1180-82-0x0000000074410000-0x0000000074BC1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4220-84-0x0000000074410000-0x0000000074BC1000-memory.dmp

memory/4220-90-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/4220-91-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5739f665bcce9806a366a9fac595591
SHA1 ab2aea7e289981b1541e8ec5de6f8b18ae333419
SHA256 6087ca1ababef4a1932eaa97f399809edb2f02e95c1c1cee38efbdc9251e0a41
SHA512 92ee301f50cafd2ea9b0ca3d58e387d87601d8c91f16c6c32c43ba2a601e479c8dfbf3f130b0be6a29a4f3da2d8be969c9fc7ee0e1b0955239b4c636e54f5b13

memory/4220-97-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4220-96-0x000000007EEC0000-0x000000007EED0000-memory.dmp

memory/4220-98-0x0000000070900000-0x0000000070C57000-memory.dmp

memory/4220-108-0x0000000074410000-0x0000000074BC1000-memory.dmp

memory/4184-109-0x0000000074410000-0x0000000074BC1000-memory.dmp

memory/2708-110-0x00000000039F0000-0x0000000003DF5000-memory.dmp

memory/4184-121-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/4184-120-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/4184-119-0x0000000004B10000-0x0000000004B20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c884f127dceacb432899cf1c468ecb1
SHA1 2623730aa969f9681a930bd003d59aba64b53614
SHA256 f5e158632ba99e74b1d3cf90ab05bd190367289b304dfc2f6a511ee308584273
SHA512 47040531057796ad42344b68c76da81a04e0d69776ed99790dd0b6ac824cfe48747a7d196899e977b4fefcabcbdcdea16c4d99be8129eacd5a37bce7a291aac1

memory/2708-123-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4184-125-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/4184-126-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/4184-124-0x000000007F140000-0x000000007F150000-memory.dmp

memory/4184-135-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/4184-137-0x0000000074410000-0x0000000074BC1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7259a8faf0ebdc840803df9282ee426c
SHA1 bd6353cc66c7937a43d2621ecbd0a4152d1bd01b
SHA256 3408b564ef8a141be8b665645f0eb58e3de8acb8d221c70b82936222f376d9d3
SHA512 4cdf9deb0680fd64a8dc49bec67d759d5f16c50161757e5359cfc734634a55a09789919ff88239f05667120f5210c3abe9cf6555ff22510f6141367a37b26bbb

memory/2708-143-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47b59651b3c5da3e6e5d5c6102f93b18
SHA1 2bf569db55cf40cd7e7417e7b84c7b6c9f70078f
SHA256 ef521ce4cd9c6507019d8e7bf60b8522ad7c3b6714aa7a9e083fb5226dda6dc6
SHA512 444ee7ffb14dd27a2c640d58063b120fc9e08006291cdc9fa602a7ceef186d70dd44757417cf5c16ed23fd4154dac36269cfd507b3a9e5b550a4e77782f96da2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf4fdbd3f09f156d18c2f86f9159d95d
SHA1 11beb9e1a63095c5bb085bdd33e75b6f6628aafa
SHA256 3ed86bc49e3d231d2bf5e01bd6a14d2c00d1d2db806512542cef804f5c70c3c7
SHA512 c4c602dfa5b9efebde7821d08bb4e7a0a78c7b72aab55acc92db8df3c8981ec32cfa16d17698c5f90fad2e1ba17665c1f2391f8783786fb6d840882a15ef6297

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 050ef42de022dd43b150480d7eeebc9c
SHA1 102ca9aea256da4c080b3081979a11af69f7092e
SHA256 cbebcedf542df1922225443a55bd36678b253cd45e97b0956d01b24a7051a893
SHA512 6aff6ca2ba4b89b3b8b5d698e1bbf7e7fdf35d9a696c45f84d118662ca771ee04efd691d3ad15f623f7d30157e0309616b3c87f7b543c57855a5a1c4137e4d1f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3680-240-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-241-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4220-248-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3680-250-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2016-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3680-252-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2016-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3680-256-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-262-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3680-270-0x0000000000400000-0x0000000001E08000-memory.dmp