Malware Analysis Report

2025-08-05 12:22

Sample ID 240427-pf2ztaad35
Target 112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa
SHA256 112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa
Tags
glupteba discovery dropper evasion loader persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa

Threat Level: Known bad

The file 112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 12:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 12:17

Reported

2024-04-27 12:19

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3312 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\system32\cmd.exe
PID 2088 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4020 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2088 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 2088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 2088 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 1436 wrote to memory of 2064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 1252 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 436 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1436 wrote to memory of 2108 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1436 wrote to memory of 2108 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 db5b88c4-17d8-41f8-8328-bab006b03f06.uuid.statstraffic.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server8.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp

Files

memory/3312-1-0x00000000034D0000-0x00000000038CD000-memory.dmp

memory/3312-2-0x0000000005070000-0x000000000595B000-memory.dmp

memory/3312-3-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2880-5-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2880-4-0x0000000004710000-0x0000000004746000-memory.dmp

memory/2880-7-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/2880-6-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/2880-8-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/2880-9-0x0000000004D30000-0x0000000004D52000-memory.dmp

memory/2880-11-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/2880-10-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyy1xwtj.2hl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2880-21-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/2880-22-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/2880-23-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/2880-24-0x0000000006270000-0x00000000062B4000-memory.dmp

memory/2880-25-0x0000000007010000-0x0000000007086000-memory.dmp

memory/2880-26-0x0000000007710000-0x0000000007D8A000-memory.dmp

memory/2880-27-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/2880-28-0x000000007F3B0000-0x000000007F3C0000-memory.dmp

memory/2880-29-0x0000000007260000-0x0000000007292000-memory.dmp

memory/2880-30-0x0000000070900000-0x000000007094C000-memory.dmp

memory/2880-31-0x0000000070A80000-0x0000000070DD4000-memory.dmp

memory/2880-44-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/2880-43-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/2880-42-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/2880-41-0x00000000072A0000-0x00000000072BE000-memory.dmp

memory/2880-45-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/2880-46-0x00000000073B0000-0x00000000073BA000-memory.dmp

memory/2880-47-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/2880-48-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/2880-49-0x0000000007400000-0x000000000740E000-memory.dmp

memory/2880-50-0x0000000007420000-0x0000000007434000-memory.dmp

memory/2880-51-0x0000000007460000-0x000000000747A000-memory.dmp

memory/2880-52-0x0000000007450000-0x0000000007458000-memory.dmp

memory/2880-55-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/3312-58-0x00000000034D0000-0x00000000038CD000-memory.dmp

memory/3312-59-0x0000000005070000-0x000000000595B000-memory.dmp

memory/3312-57-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1004-70-0x0000000005D50000-0x00000000060A4000-memory.dmp

memory/1004-71-0x0000000070900000-0x000000007094C000-memory.dmp

memory/1004-72-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/1004-82-0x00000000075C0000-0x0000000007663000-memory.dmp

memory/1004-83-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/1004-84-0x0000000007930000-0x0000000007944000-memory.dmp

memory/2088-87-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d9d703497ff39725041a1f2baf6a9f0
SHA1 1b053d41f09519f0db6f984a2a78c9a71d5aee27
SHA256 ca604d79ea5e9db6fcba284cbf5f91b2722c169e9b5f3d030838bd5c7da9ca17
SHA512 f5295a172387787424d3424c87880c920361a03872fc13dde6a53bce3eff77450cc427b760e2ea99b10d6cdaa4a3ab17cc7b1492ba162bc232a44c5b4732e609

memory/3572-100-0x0000000071080000-0x00000000713D4000-memory.dmp

memory/3572-99-0x0000000070900000-0x000000007094C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e7e1d2342688d86fb998cde4e2201733
SHA1 be7a0faaad54651a642d6c5717e788b1d48095ca
SHA256 f85e10b5670bb5045446250cb7ba09af9fc4a7ef3c578cbc88bce37912125286
SHA512 5b42274ed37d7b9c9e2a727cf2055cc5535bec7d5923f5fb9164401c644385e09ffc1aac2f8e2e9d81ded5299e95f826ec95e187241ec039029b5a1bfe29113a

memory/784-122-0x0000000070900000-0x000000007094C000-memory.dmp

memory/784-123-0x0000000071080000-0x00000000713D4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6987835c461a63dae16bc3f17bae8289
SHA1 efa9d995a09403a3e9d4573a40d79bce63da99a4
SHA256 112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa
SHA512 5f1ea74e0d888e63f224bdf146390c65d2bacc9518b9abd62e7d4760d767b3ce9aa6a2d7355520b1f5ce84461b88b4f81776429faae1f7880168018d9c9295c2

memory/2088-139-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c432b258d7e9163a8ca9619b5e93d2f
SHA1 d89b722737a7d9a0679a2f064261e23ed85d1c8e
SHA256 0145ec425af9cc8c7c7f2c36e7f714066d43b4ae3939a89e42c45daa156fba71
SHA512 acaa6ef164cfbf2f7ae84228fb75815da27d7105baa5f11b4acede9c360a6b7710a0eed58a4120f51b0fb49ca622e92d8f34b8f15cc2293c5bba7cd424f0e439

memory/2064-153-0x0000000070900000-0x000000007094C000-memory.dmp

memory/2064-154-0x0000000070A80000-0x0000000070DD4000-memory.dmp

memory/1436-165-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1252-174-0x00000000054F0000-0x0000000005844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6672b690677e7bd64acf88f855ce2e1c
SHA1 2a3a778cc2b8e991b2dd23fed7e60367a74c0f00
SHA256 6cb13961ce39ef63eb1722092667e6e05eb3d1b4e741060205add3aeb8544369
SHA512 7e48fb72f33fe16d492661c0bd1f68f43220ba850c95a2c74c25f5b55d0882fe3161a1e6dbb8a1aa552d128f926eb6ae7c34cb3221590751659a9e85a7d799a2

memory/1252-180-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/1252-181-0x0000000070820000-0x000000007086C000-memory.dmp

memory/1252-182-0x0000000070FB0000-0x0000000071304000-memory.dmp

memory/1252-192-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/1252-193-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/1252-195-0x0000000005A10000-0x0000000005A24000-memory.dmp

memory/436-206-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f15a263147faa575fc93bf731796296f
SHA1 6ae412ff3cc32a3d6ab3593f22ab3173a1749fb7
SHA256 dffeb8864e6b25f56b84085bf3069eedca2f95d4ee40208034f70905b18fa61e
SHA512 3e64f3fff282a70451c36b735be7b8249e2fdb43650c83487720b1c051058427f602687cb36bc0e47fed64fa53a9795e769464f8d544ad9964f01bd7e4826d4f

memory/436-208-0x0000000070820000-0x000000007086C000-memory.dmp

memory/436-209-0x00000000709A0000-0x0000000070CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1436-226-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-229-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-232-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-235-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-238-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-241-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-244-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1436-247-0x0000000000400000-0x0000000002EDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 12:17

Reported

2024-04-27 12:19

Platform

win11-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 416 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4540 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2844 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 2844 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe C:\Windows\rss\csrss.exe
PID 2312 wrote to memory of 1788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1788 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1740 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1380 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2312 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe

"C:\Users\Admin\AppData\Local\Temp\112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 64bf9f9c-b531-4acb-82aa-442b5484e710.uuid.statstraffic.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server15.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server15.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp

Files

memory/416-1-0x0000000003530000-0x000000000392B000-memory.dmp

memory/416-2-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/416-3-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4900-4-0x0000000004970000-0x00000000049A6000-memory.dmp

memory/4900-5-0x0000000074910000-0x00000000750C1000-memory.dmp

memory/4900-7-0x00000000049D0000-0x00000000049E0000-memory.dmp

memory/4900-6-0x0000000005010000-0x000000000563A000-memory.dmp

memory/4900-8-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4900-9-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/4900-10-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmei1o31.qid.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4900-19-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/4900-20-0x0000000005E50000-0x0000000005E6E000-memory.dmp

memory/4900-21-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/4900-22-0x0000000006390000-0x00000000063D6000-memory.dmp

memory/4900-23-0x0000000007240000-0x0000000007274000-memory.dmp

memory/4900-24-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/4900-25-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/4900-34-0x00000000072A0000-0x00000000072BE000-memory.dmp

memory/4900-35-0x00000000072C0000-0x0000000007364000-memory.dmp

memory/4900-36-0x0000000007A30000-0x00000000080AA000-memory.dmp

memory/4900-37-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/4900-38-0x0000000007430000-0x000000000743A000-memory.dmp

memory/4900-39-0x0000000007540000-0x00000000075D6000-memory.dmp

memory/4900-40-0x0000000007450000-0x0000000007461000-memory.dmp

memory/4900-41-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/4900-42-0x00000000074B0000-0x00000000074C5000-memory.dmp

memory/4900-43-0x0000000007500000-0x000000000751A000-memory.dmp

memory/4900-44-0x0000000007530000-0x0000000007538000-memory.dmp

memory/4900-47-0x0000000074910000-0x00000000750C1000-memory.dmp

memory/416-49-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/416-50-0x0000000003530000-0x000000000392B000-memory.dmp

memory/416-51-0x00000000050D0000-0x00000000059BB000-memory.dmp

memory/4184-61-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/4184-62-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/4184-71-0x00000000070F0000-0x0000000007194000-memory.dmp

memory/4184-72-0x0000000007410000-0x0000000007421000-memory.dmp

memory/4184-73-0x0000000007460000-0x0000000007475000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 109aca4b252072e886356ee19952dddd
SHA1 71ebd80fcf9fad13988e37c93f55cfd11dd05dd0
SHA256 cec86b91e4a19e5a210f41a5f01090824a39a07c2a0a27aee0906c43fea279f6
SHA512 51ccadfbd8da5f3f474037e793375573ec91e1ff04f58b24d022fa2dfe7a2a99c469fddc08ba4108cff6c6719e84a865695aef5f5fcf8b611c6d97547b479d7d

memory/2844-87-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/3572-89-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/3572-88-0x0000000070B80000-0x0000000070BCC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b8c22711d5114f707680ebddb11aae3e
SHA1 f473ffeff666610935c2c1fcec941651503373dc
SHA256 59455fe5ab76ee91eae281e90498cabcf4f6a8bb385a7e9e51f79f4ab3dfbcf0
SHA512 1b72be898ec0bceecc145027a39442704492e71b98c5fc4011b6dfc4c2fc65800a2cab4b38c815e5d6f26e2ef0eebda86e084bffc3ba7fd7fe7dbcd83ad6b889

memory/1088-108-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/1088-109-0x0000000070D00000-0x0000000071057000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6987835c461a63dae16bc3f17bae8289
SHA1 efa9d995a09403a3e9d4573a40d79bce63da99a4
SHA256 112516b1612a7850cf8136b0ad28613bf5e46acb4e84c3467397d5f1635babaa
SHA512 5f1ea74e0d888e63f224bdf146390c65d2bacc9518b9abd62e7d4760d767b3ce9aa6a2d7355520b1f5ce84461b88b4f81776429faae1f7880168018d9c9295c2

memory/2844-123-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9fd3b299053d198bb143601044e0bb3b
SHA1 fb5561ef6e0bd93cdce357d80719d4f43d3b1dd2
SHA256 2a0ce19b4160559a8d39cdbb3015a14d46a20e60546d1d72a000610c1e2ea882
SHA512 8bd8f7cd7b22f6735f4fc2b74a560ab490a641a0cb5bf0a243ac90d9db6e661670c6c53551353c7b41b3158321f3f1c90480b8bae1718aca61bdce6df71c951c

memory/1788-136-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/1788-137-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/2312-147-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-149-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1740-150-0x0000000005840000-0x0000000005B97000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04d678f8c3d96c874e7b438a600952c7
SHA1 3a78620bf182ff16dccf4019a66ec190d0000b83
SHA256 03b5317d63696b9b03881ca9aae6e511406b67f88be0af4e35a3eba1259aee43
SHA512 e4fb243e549d3ee0e5a8b8c144416fe4009a82c48b45f55e0aa8b653950b2d1fbde4fd3fae43d2910f63c15a659423f8c583e2fad39c8e12ddef1b7171957a41

memory/1740-160-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/1740-161-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/1740-162-0x0000000070CF0000-0x0000000071047000-memory.dmp

memory/1740-171-0x0000000006FA0000-0x0000000007044000-memory.dmp

memory/1740-172-0x0000000007310000-0x0000000007321000-memory.dmp

memory/1740-173-0x0000000005130000-0x0000000005145000-memory.dmp

memory/1380-183-0x0000000006160000-0x00000000064B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 298d1fa8b5b9e7311e15589fd02c2973
SHA1 0e41e65a7640987c533d6b06f28ce7600d775b1e
SHA256 366bf85d35a3fa363be942628b42efb3eeda6996d6e09078e2d35182cc3b9b84
SHA512 b8382248cf9c625b0729a5c314dcf4328a8d81017297580595f36a19c360b721a8780432f7eeeefdcc85cbaa2abc9a61f98179a996c9e48017676c035849de8a

memory/1380-187-0x0000000070C20000-0x0000000070F77000-memory.dmp

memory/1380-186-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2312-202-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-204-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-206-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-208-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-210-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-212-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-214-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2312-216-0x0000000000400000-0x0000000002EDD000-memory.dmp