Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-x5qxvaea71
Target c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
SHA256 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
Tags
glupteba dropper evasion loader discovery persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97

Threat Level: Known bad

The file c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader discovery persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:26

Reported

2024-04-19 19:29

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3180 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3480 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 cf9e65b2-4a44-41ee-b319-4a2de84244e7.uuid.thestatsfiles.ru udp

Files

memory/392-1-0x0000000003D60000-0x0000000004167000-memory.dmp

memory/392-2-0x0000000004170000-0x0000000004A5B000-memory.dmp

memory/392-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/392-4-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/392-5-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/392-6-0x0000000003D60000-0x0000000004167000-memory.dmp

memory/392-7-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/392-8-0x0000000004170000-0x0000000004A5B000-memory.dmp

memory/4640-9-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4640-10-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4640-11-0x0000000002DC0000-0x0000000002DF6000-memory.dmp

memory/4640-12-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4640-13-0x0000000005640000-0x0000000005C68000-memory.dmp

memory/4640-15-0x0000000005130000-0x0000000005152000-memory.dmp

memory/4640-16-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/4640-17-0x0000000005C70000-0x0000000005CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ly5mbek5.cag.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4640-23-0x0000000005CE0000-0x0000000006034000-memory.dmp

memory/4640-29-0x00000000063B0000-0x00000000063CE000-memory.dmp

memory/4640-30-0x0000000006490000-0x00000000064DC000-memory.dmp

memory/4640-31-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4640-32-0x0000000006A20000-0x0000000006A64000-memory.dmp

memory/4640-34-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4640-35-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4640-36-0x0000000007770000-0x00000000077E6000-memory.dmp

memory/4640-37-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/4640-38-0x00000000076F0000-0x000000000770A000-memory.dmp

memory/392-39-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4640-40-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

memory/4640-41-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/4640-42-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/4640-43-0x0000000070F70000-0x00000000712C4000-memory.dmp

memory/4640-53-0x00000000079C0000-0x00000000079DE000-memory.dmp

memory/4640-54-0x0000000007A20000-0x0000000007AC3000-memory.dmp

memory/392-55-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4640-56-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/4640-57-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4640-59-0x0000000007BF0000-0x0000000007C86000-memory.dmp

memory/4640-60-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/4640-62-0x0000000007B70000-0x0000000007B7E000-memory.dmp

memory/4640-63-0x0000000007B80000-0x0000000007B94000-memory.dmp

memory/4640-65-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

memory/4640-66-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/4640-67-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

memory/4640-70-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3480-72-0x0000000003C00000-0x0000000004001000-memory.dmp

memory/3480-73-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4692-74-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4692-75-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/4692-76-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/4692-83-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/4692-87-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/4692-88-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/4692-89-0x0000000070F50000-0x00000000712A4000-memory.dmp

memory/4692-99-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/4692-100-0x0000000007750000-0x0000000007761000-memory.dmp

memory/392-101-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4692-102-0x00000000077C0000-0x00000000077D4000-memory.dmp

memory/4692-105-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3480-106-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3480-107-0x0000000003C00000-0x0000000004001000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/548-112-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/548-113-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/548-114-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/548-124-0x0000000005F70000-0x00000000062C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fe19d077d9758a1110ca6fb959381b2a
SHA1 a5067c7a312a8f5e1dcdf514c887c4bb95914453
SHA256 bee0f7c695a842f904eb670dd59145f80ae545adf0cd30fe7eb2faf22087b610
SHA512 78ce866f8404ea55a0dc2500cb2dd78ddfeb2d9a3b6d8c351d29a010903f36771cd39f1a30504d1de569b01ec788d2d1e346bb99040c3fe8da53c3e0e2d998f1

memory/548-126-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/548-127-0x000000007EEB0000-0x000000007EEC0000-memory.dmp

memory/548-128-0x00000000707D0000-0x000000007081C000-memory.dmp

memory/548-129-0x0000000070950000-0x0000000070CA4000-memory.dmp

memory/548-140-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/3480-141-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4768-142-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4768-143-0x00000000046F0000-0x0000000004700000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b8f8f2ca284ff2233b2b6b0535d8c54
SHA1 937401e7e12df621aeb121311d7b2844c1a66fc8
SHA256 176ff6aac4db9b0de175f95e1684f04a7e65821dd582c799e097bad1c0f9da8f
SHA512 08a48b98e9a0706541868a57dae715fd676faf94b6822e18101b744076c7d55cc64b4354e7a3832cd098ceaddcfcaf0792e17b8470ceaa7c1b9d0dc1d635627b

C:\Windows\rss\csrss.exe

MD5 a7c99d11e0a3f11864ee6b71bf2f4b08
SHA1 c50f1b9ddaa06a55e0d6abba687d77a482bb2408
SHA256 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
SHA512 84bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60

memory/3480-174-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0481eca8ee54e7189373c4416e433e4a
SHA1 6e5da27b5b7a6a292395360588b0f5034b21d66d
SHA256 6873738fb83dfc6be82dfe94e7883dae8a44fd51b394eab1b55530822b143818
SHA512 af7a61b34a2316d5bb8f31d388ccdfae6bb1ddf047005d5327915d09ecb1674b95194a5880afd498a91c1db7e852022cb4f0f846e4ec28cde90fcf71b5a43c00

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b89416c851d81b0349ad16367965b0a8
SHA1 602b54aa8610df4f999cc0712d9c3222e55c17da
SHA256 ea6bf4b296e8a80927371ab79e3a6c38991e0b50d7370a95801134f7a512b8cb
SHA512 aaad4c99dc5891ab8b4c90d936e58347e07a401ed423b89753ab735157efa172a7aaf5c74a1a3c4f230d39133b2a25e054ee1869b7893d11a9e2a2c76a592a7e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:26

Reported

2024-04-19 19:29

Platform

win11-20240412-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 952 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3252 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3252 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\rss\csrss.exe
PID 3252 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\rss\csrss.exe
PID 3252 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe C:\Windows\rss\csrss.exe
PID 5092 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 4284 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2720 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 4220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5092 wrote to memory of 4220 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4968 wrote to memory of 1456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1456 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1456 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1456 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe

"C:\Users\Admin\AppData\Local\Temp\c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ab3cb85a-488d-4609-98cb-1ef4d6372b8d.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server14.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
BG 185.82.216.96:443 server14.thestatsfiles.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/2344-1-0x0000000003E10000-0x000000000420E000-memory.dmp

memory/2344-2-0x0000000004210000-0x0000000004AFB000-memory.dmp

memory/2344-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4808-4-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/4808-5-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/4808-6-0x0000000002C80000-0x0000000002C90000-memory.dmp

memory/4808-8-0x0000000005380000-0x00000000059AA000-memory.dmp

memory/4808-7-0x0000000002C80000-0x0000000002C90000-memory.dmp

memory/4808-9-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/4808-10-0x0000000005240000-0x00000000052A6000-memory.dmp

memory/4808-11-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kgdd50s0.gqo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4808-20-0x0000000005B60000-0x0000000005EB7000-memory.dmp

memory/4808-21-0x0000000006050000-0x000000000606E000-memory.dmp

memory/4808-22-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/4808-23-0x0000000006FE0000-0x0000000007026000-memory.dmp

memory/4808-24-0x000000007F960000-0x000000007F970000-memory.dmp

memory/4808-25-0x0000000007490000-0x00000000074C4000-memory.dmp

memory/4808-26-0x0000000070C80000-0x0000000070CCC000-memory.dmp

memory/4808-27-0x0000000070E10000-0x0000000071167000-memory.dmp

memory/4808-37-0x0000000002C80000-0x0000000002C90000-memory.dmp

memory/4808-36-0x00000000074D0000-0x00000000074EE000-memory.dmp

memory/4808-38-0x00000000074F0000-0x0000000007594000-memory.dmp

memory/4808-40-0x0000000007610000-0x000000000762A000-memory.dmp

memory/4808-39-0x0000000007C50000-0x00000000082CA000-memory.dmp

memory/4808-41-0x0000000007650000-0x000000000765A000-memory.dmp

memory/4808-42-0x0000000007760000-0x00000000077F6000-memory.dmp

memory/4808-43-0x0000000007670000-0x0000000007681000-memory.dmp

memory/4808-44-0x00000000076C0000-0x00000000076CE000-memory.dmp

memory/4808-45-0x00000000076D0000-0x00000000076E5000-memory.dmp

memory/4808-46-0x0000000007720000-0x000000000773A000-memory.dmp

memory/4808-47-0x0000000007740000-0x0000000007748000-memory.dmp

memory/4808-50-0x0000000074A10000-0x00000000751C1000-memory.dmp

memory/2344-51-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2344-54-0x0000000004210000-0x0000000004AFB000-memory.dmp

memory/3252-53-0x0000000003A00000-0x0000000003DFA000-memory.dmp

memory/3252-55-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5044-57-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/5044-58-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/5044-56-0x0000000074AB0000-0x0000000075261000-memory.dmp

memory/5044-67-0x0000000005FB0000-0x0000000006307000-memory.dmp

memory/5044-68-0x0000000006610000-0x000000000665C000-memory.dmp

memory/5044-70-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/5044-71-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/5044-81-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/5044-80-0x00000000075B0000-0x0000000007654000-memory.dmp

memory/5044-69-0x000000007F760000-0x000000007F770000-memory.dmp

memory/5044-82-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/5044-83-0x0000000007920000-0x0000000007935000-memory.dmp

memory/5044-86-0x0000000074AB0000-0x0000000075261000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2856-88-0x0000000074AB0000-0x0000000075261000-memory.dmp

memory/2856-90-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2856-89-0x00000000053F0000-0x0000000005400000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0d8ac4542842c5847f1e650510023bd1
SHA1 ab1c86d5e08e1c012683cb5c5588b836a3264c28
SHA256 ee8f4cc30d1d2152d91a12cc7ab35dcd04b293d226ff16986bbe6e5e4fa915a0
SHA512 e68c831406fe9be31fe2633b5d5e0cb13707fbcd9b74942918bd49f09131238883063d389d2d2ef535418f3d4341c14366c00af2a1c3da514ce023bf68b75774

memory/2856-102-0x0000000070F10000-0x0000000071267000-memory.dmp

memory/2856-111-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2856-112-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/2856-101-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/2856-100-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

memory/2856-114-0x0000000074AB0000-0x0000000075261000-memory.dmp

memory/4376-115-0x0000000074AB0000-0x0000000075261000-memory.dmp

memory/4376-118-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/4376-127-0x00000000057C0000-0x0000000005B17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad3be33ad7fb4fb996d41a550d166ed8
SHA1 9f1ca4096110ca61851c65d7cb40cab3ad9c2b02
SHA256 e5e58c285b66da4a48e74777a00c2899ec2bf9577fa31c089b30259e060ed455
SHA512 1fcb4bce9224119f25f34fbcadf9fa6e3548e8d9b3fa8e857a06464d89806e815b5a6ad4384f7cc614b487004f5a0b463da636cb955612bb41554e7853c99600

memory/4376-117-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3252-116-0x0000000003A00000-0x0000000003DFA000-memory.dmp

memory/4376-129-0x0000000070D90000-0x0000000070DDC000-memory.dmp

memory/4376-130-0x00000000716E0000-0x0000000071A37000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a7c99d11e0a3f11864ee6b71bf2f4b08
SHA1 c50f1b9ddaa06a55e0d6abba687d77a482bb2408
SHA256 c8f6bd4c685a93048672d92f9057d5d535ea2d3db45a3ef480fec3b70b0a3b97
SHA512 84bfb379a80980fb909b59a4e3a24e922b6d93647f61c77794e5ab09e1d6fcd95f70abf0e9f804742146f3176413aae54267c9bdf52023ab4c548a234c9fea60

memory/3252-149-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a045e0ce1a621980f76781d2967a5d43
SHA1 96d1c7339919058992ccd52e12e02c4b0b605a0a
SHA256 57fbcfb0c1da87b481aaff9f58987143cab6034e7651f71c5340396537823f07
SHA512 1265b081fd7021be3e785cbdabcf5164b00fed2d159c357592324cb798796cb81c0ae1d98b0c11eff821c826c560ef278a91e1a7e8fecba4cb62898738aac2bd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 55b8da53883bd74dac29c667cfa92220
SHA1 6aae85329dc4e77d5cc5d6b00191946eda2193e1
SHA256 f4c83f4821156d30551c0abdf2b0a7b46521d52ffc038bbeeb37397081bafd18
SHA512 ec91e28d6c5aa3c9013c1fccff0403e25ce7b39dd40022b595e588dba58d801bfb7fee70613a17800c1087ba13bc05bf20fbb3fa860b231a799f309fb8d8444b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 261503cd47c3fea305a994d5b0e160cf
SHA1 4d343bab6d3f0e657379e3b81b60ebef243df327
SHA256 71a9c2ff91b9a1c2a9d7ad6e2f9927b0361b0a81e9b097c9d7957c926307c9e0
SHA512 d2e993b2ec811c5d83342d802ff090d889546bb1a5a765d56753d44d77c9c1899d7e7f23e6d6b6507434f28e00ccc56091c8638e627c7b2dc46744f612b75edc

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5092-245-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4968-252-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5092-254-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3968-255-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5092-256-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-258-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3968-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5092-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-262-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-270-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-272-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-274-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/5092-276-0x0000000000400000-0x0000000001E08000-memory.dmp