Malware Analysis Report

2025-08-06 03:25

Sample ID 240420-z8kaksac48
Target 15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98
SHA256 15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98
Tags
glupteba discovery dropper evasion loader persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98

Threat Level: Known bad

The file 15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 21:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 21:23

Reported

2024-04-20 21:25

Platform

win10v2004-20240412-en

Max time kernel

22s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\system32\cmd.exe
PID 4928 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4928 wrote to memory of 4080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1984 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\System32\Conhost.exe
PID 1984 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\System32\Conhost.exe
PID 1984 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\System32\Conhost.exe
PID 1984 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 1984 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 1984 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 428 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3292 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 428 wrote to memory of 1612 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 8140e389-005b-4bef-be62-fb33f4fa361e.uuid.dumperstats.org udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.dumperstats.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
BG 185.82.216.111:443 server15.dumperstats.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server15.dumperstats.org tcp

Files

memory/2900-1-0x0000000003A20000-0x0000000003E19000-memory.dmp

memory/2900-2-0x0000000003E20000-0x000000000470B000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/2844-4-0x00000000021A0000-0x00000000021D6000-memory.dmp

memory/2844-5-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/2844-6-0x0000000002650000-0x0000000002660000-memory.dmp

memory/2844-7-0x0000000002650000-0x0000000002660000-memory.dmp

memory/2844-8-0x0000000004CD0000-0x00000000052F8000-memory.dmp

memory/2844-9-0x0000000004B30000-0x0000000004B52000-memory.dmp

memory/2844-10-0x0000000005300000-0x0000000005366000-memory.dmp

memory/2844-11-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3sdo043.qfs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2844-21-0x0000000005510000-0x0000000005864000-memory.dmp

memory/2844-22-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/2844-23-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/2844-24-0x00000000060C0000-0x0000000006104000-memory.dmp

memory/2844-25-0x0000000006CA0000-0x0000000006D16000-memory.dmp

memory/2844-26-0x00000000075D0000-0x0000000007C4A000-memory.dmp

memory/2844-27-0x0000000006F50000-0x0000000006F6A000-memory.dmp

memory/2844-30-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/2844-29-0x00000000070F0000-0x0000000007122000-memory.dmp

memory/2844-28-0x000000007EF20000-0x000000007EF30000-memory.dmp

memory/2844-31-0x0000000070E40000-0x0000000071194000-memory.dmp

memory/2844-41-0x0000000007130000-0x000000000714E000-memory.dmp

memory/2844-42-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/2844-43-0x0000000007240000-0x000000000724A000-memory.dmp

memory/2844-44-0x0000000007350000-0x00000000073E6000-memory.dmp

memory/2844-45-0x0000000007250000-0x0000000007261000-memory.dmp

memory/2844-46-0x0000000007290000-0x000000000729E000-memory.dmp

memory/2844-47-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/2844-48-0x0000000007300000-0x000000000731A000-memory.dmp

memory/2844-49-0x00000000072F0000-0x00000000072F8000-memory.dmp

memory/2844-52-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/2900-53-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/1984-55-0x0000000003AC0000-0x0000000003EC4000-memory.dmp

memory/2900-56-0x0000000003E20000-0x000000000470B000-memory.dmp

memory/1984-57-0x0000000003ED0000-0x00000000047BB000-memory.dmp

memory/1984-58-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4088-59-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4088-61-0x0000000004840000-0x0000000004850000-memory.dmp

memory/4088-60-0x0000000004840000-0x0000000004850000-memory.dmp

memory/4088-62-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/4088-72-0x0000000006280000-0x00000000062CC000-memory.dmp

memory/4088-73-0x000000007EF30000-0x000000007EF40000-memory.dmp

memory/4088-74-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4088-75-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/4088-85-0x0000000006F10000-0x0000000006FB3000-memory.dmp

memory/4088-86-0x0000000007220000-0x0000000007231000-memory.dmp

memory/4088-87-0x0000000007270000-0x0000000007284000-memory.dmp

memory/4088-90-0x0000000074C40000-0x00000000753F0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3724-92-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/3724-93-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/3724-94-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/3724-104-0x0000000005B70000-0x0000000005EC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ed3d5be8d93dc3e76e2d07fb8ac198ab
SHA1 18055d0eba7e44cae4d812ab7c0057d47a577d17
SHA256 202be0be0f7ef869df2b2c51fc97ba3fea391c5e21918e44b888c3aeaa08a941
SHA512 343e481b6e379f1644c20cab67b0260643cc6ef07ed3ed3868a44744aacad8a8d1324c4bb7db8fa0bbfede1429b8257960fe7c9b407bff49a26ad27152bad984

memory/3724-106-0x000000007FB80000-0x000000007FB90000-memory.dmp

memory/3724-107-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/3724-108-0x0000000070CC0000-0x0000000071014000-memory.dmp

memory/3724-118-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

memory/3724-120-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/1984-121-0x0000000003AC0000-0x0000000003EC4000-memory.dmp

memory/4860-122-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4860-123-0x0000000005370000-0x0000000005380000-memory.dmp

memory/1984-133-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4860-134-0x0000000005370000-0x0000000005380000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce291e877d2d4101b563f37bc3e569c2
SHA1 9d6f1a5daf1c85a87dc3281b67114f93b85260c9
SHA256 4a49eb870da8b88d3472cce9b43e88e60a5cdc339b52f910917ff1a8bf134d66
SHA512 6c1eb85dc9bec94e7135685b08384877f88846c9739c498156327d8e4ace3aa66dda8b47d560a6edf5cb1af67b9bb5703cf6dbc2b8530f3d6cfd1c2e32f94c0d

memory/4860-136-0x0000000070B40000-0x0000000070B8C000-memory.dmp

memory/4860-137-0x00000000712D0000-0x0000000071624000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c03d5b59011cda23e1ec9775a6c18ff3
SHA1 5aca29ecc8b7e6bbfee886d648b6e07d6bab6869
SHA256 15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98
SHA512 0439ecba33ccfb05ada25f37e43c8007e9887baf426b2389aa44a8330aaa2e696339d9fd0084f3f694c88dc7726ef1f2c872344309d604a876052e71c9c24d36

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d44ce39353a448414a8b1b5fd73fe70
SHA1 92e41bfd2713652c8413ef0ae36f7f3ca2b61984
SHA256 fb9ae29321dfde7eda0b91af06416647f0ff948f4240152ae5d4be23a1a74ae5
SHA512 cace1930a5ee7b6ef7cafc7647e2c525aaa5857b8da40fe6c4a4f3a67165cdd5312c808211e79029daa8b30a839720b1ea68e2feb55843bf6865f33f0635ea22

memory/1984-190-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50c8e78272a2ed4c3291570c63daad23
SHA1 4ebc8cca255d5c27878c65af0cd3113e6f94aaf9
SHA256 ba701a3cae8b3030262bd8d4d56e5332695c7ac95d9ca11105c90a44756e9c29
SHA512 8f27911b6b9b0d4865608dd90b56c8534c97375362e7606364af589e60c54546707a436e669766ba9b169602f06b224375d236c6f8c1a5f8e08249790371357c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 86d696b27a4939fa84a79fa201908e34
SHA1 a5c4390a36e3b32aec454e1290175e5f7136a639
SHA256 43786cd09f21fdf0c91a77c2a7096faa91cc665466056177edc5eb2287c54a9d
SHA512 1cb25d2e222e7d0a95f5130fd4ebe48c7410b1774f486650674b3608516d895e31049ba2ec59f15a8766f9f12da243105d5e04488b140bdfce2dce943be05eaf

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/428-258-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2588-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-268-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/3928-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-270-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-273-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-276-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/3928-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/428-281-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-283-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-286-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-288-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-291-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-294-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-299-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/428-301-0x0000000000400000-0x0000000001DF9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 21:23

Reported

2024-04-20 21:25

Platform

win11-20240412-en

Max time kernel

17s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5084 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5084 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\system32\cmd.exe
PID 652 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 652 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2868 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2868 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 2868 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 2868 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe C:\Windows\rss\csrss.exe
PID 856 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 4080 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 3312 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe

"C:\Users\Admin\AppData\Local\Temp\15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8181d033-b56e-440b-9c50-e50e08b824ca.uuid.dumperstats.org udp
US 8.8.8.8:53 server5.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server5.dumperstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server5.dumperstats.org tcp

Files

memory/5084-1-0x0000000003D90000-0x0000000004196000-memory.dmp

memory/5084-2-0x00000000041A0000-0x0000000004A8B000-memory.dmp

memory/5084-3-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/828-4-0x0000000002280000-0x00000000022B6000-memory.dmp

memory/828-5-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/828-6-0x0000000000B20000-0x0000000000B30000-memory.dmp

memory/828-7-0x0000000004CD0000-0x00000000052FA000-memory.dmp

memory/828-8-0x0000000005300000-0x0000000005322000-memory.dmp

memory/828-9-0x00000000053A0000-0x0000000005406000-memory.dmp

memory/828-10-0x0000000005410000-0x0000000005476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikgxlnii.lya.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/828-19-0x0000000005580000-0x00000000058D7000-memory.dmp

memory/828-20-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/828-21-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/828-22-0x0000000006000000-0x0000000006046000-memory.dmp

memory/828-23-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

memory/828-25-0x0000000070720000-0x000000007076C000-memory.dmp

memory/828-24-0x0000000006EA0000-0x0000000006ED4000-memory.dmp

memory/828-26-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/828-35-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

memory/828-36-0x0000000006F00000-0x0000000006FA4000-memory.dmp

memory/828-37-0x0000000000B20000-0x0000000000B30000-memory.dmp

memory/828-38-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/828-39-0x0000000007020000-0x000000000703A000-memory.dmp

memory/828-40-0x0000000007060000-0x000000000706A000-memory.dmp

memory/828-41-0x0000000007170000-0x0000000007206000-memory.dmp

memory/828-42-0x0000000007080000-0x0000000007091000-memory.dmp

memory/828-43-0x00000000070D0000-0x00000000070DE000-memory.dmp

memory/828-44-0x00000000070E0000-0x00000000070F5000-memory.dmp

memory/828-45-0x0000000007130000-0x000000000714A000-memory.dmp

memory/828-46-0x0000000007150000-0x0000000007158000-memory.dmp

memory/828-49-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/2868-51-0x0000000003D00000-0x00000000040FF000-memory.dmp

memory/5084-52-0x0000000003D90000-0x0000000004196000-memory.dmp

memory/2868-53-0x0000000004100000-0x00000000049EB000-memory.dmp

memory/2868-54-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4852-56-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4852-55-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4852-57-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4852-66-0x0000000006360000-0x00000000066B7000-memory.dmp

memory/4852-67-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4852-68-0x0000000070930000-0x0000000070C87000-memory.dmp

memory/5084-78-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/4852-77-0x0000000007AD0000-0x0000000007B74000-memory.dmp

memory/4852-79-0x000000007FD10000-0x000000007FD20000-memory.dmp

memory/4852-80-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4852-81-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/4852-82-0x0000000007E60000-0x0000000007E75000-memory.dmp

memory/4852-85-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4488-87-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4488-88-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4488-89-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4488-98-0x00000000063F0000-0x0000000006747000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cda22be6c5c283d57215fb9dc4621b9d
SHA1 b16c741cd49c1f3eb2105c2c6c4647d58b018c17
SHA256 c51b5ed2ca4e627baae8e8d32b4b75ab8abaa50dafad093adfb6bde6f3552b34
SHA512 5676ac7a312429c8ec02d0a719660c1488dd2f6943d55c1bdc0accfd5c37da6fa8a0bc25bef2df3438bfb7596d66f42586358e0d06d0068d1792ed1f69040f2c

memory/4488-101-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4488-100-0x000000007F150000-0x000000007F160000-memory.dmp

memory/4488-102-0x0000000070970000-0x0000000070CC7000-memory.dmp

memory/4488-112-0x0000000005570000-0x0000000005580000-memory.dmp

memory/2868-111-0x0000000003D00000-0x00000000040FF000-memory.dmp

memory/4488-113-0x0000000005570000-0x0000000005580000-memory.dmp

memory/4488-115-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/1788-117-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/1788-118-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1788-119-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/1788-128-0x0000000006220000-0x0000000006577000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4c04ddad77e88d4377fa493aab04f42
SHA1 fa9b2e2b55319acde9bfb762f650508270d58408
SHA256 5816cfff181b26240f4dddf3d836c1f57e65c8833f775e51b3ade44a431f172a
SHA512 d1fa03033950c77b7671cb70d50db7adce585ce3243c06db6a69f28076fa4304c57614a9369e34929af28b34214ea882b465ecf3f74a0cf9370ca6a2df870c6f

memory/1788-130-0x0000000070720000-0x000000007076C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c03d5b59011cda23e1ec9775a6c18ff3
SHA1 5aca29ecc8b7e6bbfee886d648b6e07d6bab6869
SHA256 15bbf04148565d2dbf7bb81a902101399ac1f20edda7ae77213a8b97f5615b98
SHA512 0439ecba33ccfb05ada25f37e43c8007e9887baf426b2389aa44a8330aaa2e696339d9fd0084f3f694c88dc7726ef1f2c872344309d604a876052e71c9c24d36

memory/2868-148-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 92ce75319ec3ad4f7d48859aad8e758a
SHA1 6a2fcd8db87cbfc559f42a16f92d013242e5a460
SHA256 bddac3fe1b4d8574eecffedd57e9a2ee9576fdc296212fd5cb34696c1379c724
SHA512 041b11f853a0fe377d24b492b0af6aec78fe431b2704f186ed672657a83d665c79b2f9006c7d2a5b5519c3dd7ecb9afd9dbfde208477bc2b2dbd09366602a90a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 adc724a1125ef321ddbb12beffe563b1
SHA1 d9485b69193ec3691a2f59bdd0d70c58d3533dec
SHA256 4ff308e757f4240ecdb79a0e23ada7bd4d7f11dfb464fcfe27ef83ea7ed783c3
SHA512 adcf61267930fd12589ffd688a5b0ff78d4230e63fa0a83bdfcb65112ba1036b189acbd89a3d51bf2f3fb2bbf5c9413c7bf6bd729b7eaba4878ef4ef47b72cf6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 db65c9286110ff9ca3b09060fb9ab7a3
SHA1 4ba814eb5474897c041ce0a44ef8cd4d67f90738
SHA256 dd149c2840dffef361775eb9e2329a1193fa2c841a40c7f9eaf8a178263c7037
SHA512 7501ab6b4de8ffd79f6a378c8ff4708dd818b42e77a10d33e02e56d2b138ccca579fdeca3b3ef6929ab398c6207a7ccb2fe899ad6e9284d38c53bc5d4d5ec4d6

memory/856-239-0x0000000000400000-0x0000000001DF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/856-250-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/728-253-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/856-256-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/2704-257-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/856-259-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-262-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/2704-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/856-265-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-268-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-271-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-274-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-277-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-280-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-283-0x0000000000400000-0x0000000001DF9000-memory.dmp

memory/856-286-0x0000000000400000-0x0000000001DF9000-memory.dmp