Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x6vmesah6w
Target 44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a
SHA256 44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a
Tags
glupteba dropper evasion execution loader persistence discovery rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a

Threat Level: Known bad

The file 44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader persistence discovery rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:31

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\system32\cmd.exe
PID 716 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\system32\cmd.exe
PID 3672 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3672 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 716 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 716 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 4844 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4844 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3f03f951-6c95-4b88-91a5-e87b5d8cd702.uuid.alldatadump.org udp

Files

memory/4068-1-0x0000000003240000-0x000000000363D000-memory.dmp

memory/4068-2-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/4068-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4076-4-0x000000007454E000-0x000000007454F000-memory.dmp

memory/4076-5-0x0000000002940000-0x0000000002976000-memory.dmp

memory/4076-6-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4076-7-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4076-8-0x00000000050F0000-0x0000000005718000-memory.dmp

memory/4068-9-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4076-10-0x0000000004E80000-0x0000000004EA2000-memory.dmp

memory/4076-11-0x0000000005890000-0x00000000058F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzir1j2x.t0m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4076-14-0x0000000005900000-0x0000000005966000-memory.dmp

memory/4076-22-0x0000000005AB0000-0x0000000005E04000-memory.dmp

memory/4076-23-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/4076-24-0x0000000006010000-0x000000000605C000-memory.dmp

memory/4068-25-0x0000000003240000-0x000000000363D000-memory.dmp

memory/4076-26-0x00000000065C0000-0x0000000006604000-memory.dmp

memory/4068-27-0x0000000004FE0000-0x00000000058CB000-memory.dmp

memory/4076-28-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4076-29-0x0000000007260000-0x00000000072D6000-memory.dmp

memory/4076-30-0x00000000079C0000-0x000000000803A000-memory.dmp

memory/4076-31-0x0000000007380000-0x000000000739A000-memory.dmp

memory/4068-33-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4068-32-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4076-34-0x0000000007560000-0x0000000007592000-memory.dmp

memory/4076-36-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4076-35-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/4076-37-0x0000000070560000-0x00000000708B4000-memory.dmp

memory/4076-47-0x0000000007540000-0x000000000755E000-memory.dmp

memory/4076-48-0x00000000075A0000-0x0000000007643000-memory.dmp

memory/4076-49-0x0000000007690000-0x000000000769A000-memory.dmp

memory/4076-50-0x000000007454E000-0x000000007454F000-memory.dmp

memory/4076-51-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/4076-52-0x0000000007200000-0x0000000007211000-memory.dmp

memory/4076-54-0x00000000076F0000-0x00000000076FE000-memory.dmp

memory/4076-55-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4068-53-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4076-56-0x0000000007700000-0x0000000007714000-memory.dmp

memory/4076-57-0x0000000007800000-0x000000000781A000-memory.dmp

memory/4076-58-0x00000000077E0000-0x00000000077E8000-memory.dmp

memory/4076-61-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4068-63-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4976-66-0x0000000005C40000-0x0000000005F94000-memory.dmp

memory/4976-76-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/4976-77-0x0000000070B60000-0x0000000070EB4000-memory.dmp

memory/4976-87-0x00000000074C0000-0x0000000007563000-memory.dmp

memory/4976-88-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/4976-89-0x0000000007840000-0x0000000007854000-memory.dmp

memory/716-92-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a940a8b94856dc02e5b1b799a0bff7ab
SHA1 cb9b2a3c0603d128a11e5208ea024e71912c2bec
SHA256 381482a854430a21cb7792979a125f209f10110946b2a5dc857a15163517fc45
SHA512 97bd315d18c2d0d2140d8de0952c02d25479e2fe847ad38df97f35788a76588f49fd7b36a42888bdb56cab02c6423ca931918b5063cb3f78d9557608c64dc827

memory/4868-105-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/4868-106-0x0000000070B60000-0x0000000070EB4000-memory.dmp

memory/1128-126-0x0000000005920000-0x0000000005C74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5b1c71050a4e21f95dbb13fc318f147
SHA1 93fa7e24890bbfd14110d5bc719dddbe723904c1
SHA256 9ecbfe0dc379a548617de341cd75152ed9f58ed6006ab438f33a3c681d0ebaae
SHA512 11e9481f5392fcfb60cedc4c956c8ea9e64263c48933fc0b52cbd1d488e3fa9f348b164562c13a96fae38f112554aa55cca405fa93ec21f95b77449b3285e7a3

memory/716-128-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1128-129-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/1128-130-0x0000000070580000-0x00000000708D4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 efe81e338f7ac4d981457b0ee8e23851
SHA1 d485c50537711e84d05c5a9523a414a4f6860873
SHA256 44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a
SHA512 4a55eb64f5cb8ddc0ec002236011403e6df865a6fa1b4db2f6a809b11c8bb2aa9d6a37ee767009683e217253a47f7b0ef3226e91961804c63cd54a24c7c44259

memory/716-147-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 514a5123f245939d0899bf042fec86f8
SHA1 2198b220fa20b44a8f0ab3686c590d255c741f0e
SHA256 32a3ee1a910d1c9302cbec21be0b4c2e9da97712c334295da56a6dfe24d719b0
SHA512 7708d904465271edbb136c223540b5fee28c07bca24875d54822afa05a2b3f20b9dcdded323e219d9acc4ce01d47cb879920fc6430cebc4b10f5faf6580871b4

memory/2368-164-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/2368-165-0x0000000070560000-0x00000000708B4000-memory.dmp

memory/4844-163-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3140-182-0x0000000006230000-0x0000000006584000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 962ab2cf5b2a42fa9f9806c6738bcd53
SHA1 5a86bab41913f2bcac60d0d5b781eadf3df2e755
SHA256 fafe29316923a6fc8d43b48bb0cd79310d4aa1d3274ae1dab7463bef2c7533e6
SHA512 844141c5257d4ef043d13d0c030209a72767f66f06490b1d328106fc793ee46fd8d41eaf4565a70ebabc45222ebe846986e0963a1f109c33cbcdf8a73db01b70

memory/3140-188-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/3140-189-0x0000000070300000-0x000000007034C000-memory.dmp

memory/3140-190-0x0000000070AB0000-0x0000000070E04000-memory.dmp

memory/3140-200-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/3140-201-0x0000000007D00000-0x0000000007D11000-memory.dmp

memory/3140-202-0x00000000066F0000-0x0000000006704000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:31

Platform

win11-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4452 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4452 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4452 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\system32\cmd.exe
PID 4496 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2124 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4496 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 4496 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 4496 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe C:\Windows\rss\csrss.exe
PID 3044 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 4896 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 2368 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3044 wrote to memory of 1728 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3044 wrote to memory of 1728 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1540 wrote to memory of 1416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1416 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1416 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1416 wrote to memory of 896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe

"C:\Users\Admin\AppData\Local\Temp\44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4ee25a6c-ecef-43b6-9140-fa8c715e9022.uuid.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.alldatadump.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server15.alldatadump.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server15.alldatadump.org tcp
BG 185.82.216.108:443 server15.alldatadump.org tcp

Files

memory/4452-1-0x00000000033D0000-0x00000000037C9000-memory.dmp

memory/4452-2-0x0000000005070000-0x000000000595B000-memory.dmp

memory/4452-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2368-4-0x000000007418E000-0x000000007418F000-memory.dmp

memory/2368-5-0x0000000004BD0000-0x0000000004C06000-memory.dmp

memory/2368-6-0x0000000074180000-0x0000000074931000-memory.dmp

memory/2368-8-0x0000000074180000-0x0000000074931000-memory.dmp

memory/2368-7-0x0000000005240000-0x000000000586A000-memory.dmp

memory/2368-9-0x00000000051C0000-0x00000000051E2000-memory.dmp

memory/2368-10-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/2368-11-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fcvipvk.3dk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2368-20-0x0000000005B80000-0x0000000005ED7000-memory.dmp

memory/2368-21-0x0000000006030000-0x000000000604E000-memory.dmp

memory/2368-22-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/2368-23-0x00000000065B0000-0x00000000065F6000-memory.dmp

memory/2368-25-0x0000000007440000-0x0000000007474000-memory.dmp

memory/2368-27-0x0000000070600000-0x0000000070957000-memory.dmp

memory/2368-26-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2368-37-0x00000000074C0000-0x0000000007564000-memory.dmp

memory/2368-36-0x00000000074A0000-0x00000000074BE000-memory.dmp

memory/4452-24-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2368-38-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/2368-39-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/2368-40-0x0000000007630000-0x000000000763A000-memory.dmp

memory/2368-41-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/2368-42-0x0000000007650000-0x0000000007661000-memory.dmp

memory/2368-43-0x00000000076A0000-0x00000000076AE000-memory.dmp

memory/2368-44-0x00000000076B0000-0x00000000076C5000-memory.dmp

memory/2368-45-0x0000000007700000-0x000000000771A000-memory.dmp

memory/2368-46-0x0000000007720000-0x0000000007728000-memory.dmp

memory/2368-49-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4452-51-0x00000000033D0000-0x00000000037C9000-memory.dmp

memory/4452-53-0x0000000005070000-0x000000000595B000-memory.dmp

memory/4452-52-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4496-54-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/896-55-0x0000000005A70000-0x0000000005DC7000-memory.dmp

memory/896-64-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/896-65-0x0000000070640000-0x0000000070997000-memory.dmp

memory/896-74-0x0000000007190000-0x0000000007234000-memory.dmp

memory/896-75-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/4452-76-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/896-77-0x0000000007530000-0x0000000007545000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/644-89-0x0000000005D20000-0x0000000006077000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 37cf6684784899bddc3112d7fa633aae
SHA1 6e6ef2d2ef8a8a2eb961ff8dfd027271c73323aa
SHA256 6a01395d05f6f1e7321bcd92495cadba9db7a2ee36990ecf07f23fc99c4d698e
SHA512 5cfe2730ab834b498870f8e8ed4e9414f4ff15a31ffc8f667832d0d3e75310195d12a710585ad0b3cc04b34b70a912aa027912f4ea6e53cd6c0f19b3f1a15d4f

memory/644-91-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/644-92-0x0000000070570000-0x00000000708C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 09915e738614d5a7194b0a963cadf734
SHA1 bb6acb79492bf30324b5d7e2337acbaeb7aa2c32
SHA256 6ef3b3ced6a319cae562e9b3a8e7746936ab7fab941f2603f1cc03a4f4ac396f
SHA512 56d00f3014ab9207fd2034328d90bb0b6d700001ed4369bd4565c01f803847cbfb59090161cf520523076eb30a5c88a56b6f1aeddf6432f6feb4ea0a8be92a9d

memory/3148-111-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/3148-112-0x0000000070640000-0x0000000070997000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 efe81e338f7ac4d981457b0ee8e23851
SHA1 d485c50537711e84d05c5a9523a414a4f6860873
SHA256 44585fd6d0950b09e982a66f087842be69ad891da6a41214015546178437fd0a
SHA512 4a55eb64f5cb8ddc0ec002236011403e6df865a6fa1b4db2f6a809b11c8bb2aa9d6a37ee767009683e217253a47f7b0ef3226e91961804c63cd54a24c7c44259

memory/4496-126-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 969d5ed51b0deb1fb62b7e3fbe4bbfb4
SHA1 705e21b1fcaa505507b1fbd20c4770dbed84ac75
SHA256 34e80648432bd73b65abebd8448a523cde1eaacdcaae7dc17efefeb726283ed5
SHA512 263cb0d54796ca590c679f02861eeb67f0686fa52973286395257b3878c5706d8592e5b29075f4820993cc9e0fba4f1d4d07dd22eda3694e7a442e4781463f5e

memory/4896-140-0x0000000070570000-0x00000000708C7000-memory.dmp

memory/4896-139-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/2904-158-0x0000000005E10000-0x0000000006167000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 42de3b22dfec0cd56353e966805aa274
SHA1 9b3a34ff0f27a7403466ad20d59375933c878baa
SHA256 77fa54eee420cb69bd6a94b1a38f42c5eabcae985a27e683a81d0bb18e2eea17
SHA512 df481627764c7d16832101aa28c2481443ec40eeb829675c0440cea3c94ef38f963a18c029c8560585d872693c843e8e87751ba704ba31dade7d78681fb8d74e

memory/2904-160-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/2904-162-0x0000000070560000-0x00000000708B7000-memory.dmp

memory/2904-161-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2904-171-0x00000000075E0000-0x0000000007684000-memory.dmp

memory/2904-172-0x0000000007950000-0x0000000007961000-memory.dmp

memory/2904-173-0x0000000005D10000-0x0000000005D25000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 190d159b0e295d1ba2e17438cc86d936
SHA1 2c47746fb381f5a5cb98db16b02ce0e8502fad15
SHA256 a47295a9c1c0ba757ef06d5263aa82fb3f8710023d4c3883606c7155afa39244
SHA512 c7201a26d8c50012fda9ce84b24feede75e6431905cf711f6b83505faf85bb71536af03b8e53950a0678d8a8189c4b7882f2158b2e254c42d645c8791b46c532

memory/2368-185-0x0000000070310000-0x000000007035C000-memory.dmp

memory/2368-186-0x0000000070560000-0x00000000708B7000-memory.dmp

memory/3044-196-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1540-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1272-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1540-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-211-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1272-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-213-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-216-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1272-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3044-219-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-228-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3044-234-0x0000000000400000-0x0000000002ED5000-memory.dmp