Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-ya3htsbb3y
Target f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
SHA256 f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

Threat Level: Known bad

The file f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:35

Reported

2024-05-09 19:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\system32\cmd.exe
PID 1496 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1496 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5068 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\rss\csrss.exe
PID 5068 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\rss\csrss.exe
PID 5068 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe C:\Windows\rss\csrss.exe
PID 3808 wrote to memory of 4376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4376 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 1500 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3808 wrote to memory of 4568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3808 wrote to memory of 4568 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5052 wrote to memory of 3024 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3024 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3024 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 9604350f-ec66-43c0-b63c-d3315e6af12d.uuid.dumppage.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server4.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp

Files

memory/3088-1-0x0000000003320000-0x0000000003720000-memory.dmp

memory/3088-2-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/3088-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/640-5-0x00000000025E0000-0x0000000002616000-memory.dmp

memory/640-6-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

memory/640-7-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/640-8-0x00000000051B0000-0x00000000057D8000-memory.dmp

memory/640-9-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/3088-4-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/640-10-0x0000000005040000-0x0000000005062000-memory.dmp

memory/640-11-0x0000000005850000-0x00000000058B6000-memory.dmp

memory/640-12-0x00000000058C0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3bl34rz.q5g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/640-18-0x0000000005930000-0x0000000005C84000-memory.dmp

memory/640-23-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/640-24-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/640-25-0x0000000006470000-0x00000000064B4000-memory.dmp

memory/640-26-0x0000000007230000-0x00000000072A6000-memory.dmp

memory/640-27-0x0000000007930000-0x0000000007FAA000-memory.dmp

memory/640-28-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/640-30-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/640-31-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/640-29-0x0000000007480000-0x00000000074B2000-memory.dmp

memory/640-32-0x0000000071490000-0x00000000717E4000-memory.dmp

memory/640-42-0x00000000074C0000-0x00000000074DE000-memory.dmp

memory/640-43-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/640-44-0x00000000074E0000-0x0000000007583000-memory.dmp

memory/640-45-0x00000000075D0000-0x00000000075DA000-memory.dmp

memory/640-46-0x0000000007690000-0x0000000007726000-memory.dmp

memory/640-47-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/640-48-0x0000000007630000-0x000000000763E000-memory.dmp

memory/640-49-0x0000000007640000-0x0000000007654000-memory.dmp

memory/640-50-0x0000000007730000-0x000000000774A000-memory.dmp

memory/640-51-0x0000000007670000-0x0000000007678000-memory.dmp

memory/640-54-0x0000000074E70000-0x0000000075620000-memory.dmp

memory/3088-56-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3088-57-0x0000000003320000-0x0000000003720000-memory.dmp

memory/3088-58-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/3108-68-0x0000000005A10000-0x0000000005D64000-memory.dmp

memory/3088-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5068-69-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3108-71-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/3108-72-0x0000000070E90000-0x00000000711E4000-memory.dmp

memory/3108-82-0x00000000070E0000-0x0000000007183000-memory.dmp

memory/3108-83-0x0000000007400000-0x0000000007411000-memory.dmp

memory/3108-84-0x0000000007450000-0x0000000007464000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4afe1eeb05c2f5141cad45b205a7ee72
SHA1 fdafcdc5086bf4a76d53e2b468cd56b1885a9c3b
SHA256 4328a31e656526d1cb842ef9fe3eab97032fce676382d0ea0bb744ace712cf52
SHA512 0a7e4ad3e1c6d48dd480c4c1e05b8cf6c315a53ab6b1e25970e5cc3b0136bd553db259c8a4e6fb5067871212bc4d3d7b4e3f30e120a77de945347a5973f23172

memory/3024-99-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/3024-100-0x0000000070E90000-0x00000000711E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e05c684d6da2a382922559bd120b71ef
SHA1 3eaf6dd7990328b1d88ef9fba43417b35630a68c
SHA256 ed469e90b10fc94037cc77fa154ae54baa3e907df243720c61e96b045e564430
SHA512 a58326ea5493fe2207691f3f60c44045b3913a88e452fcbd50a4fcbeee22d635e5e21555f3b89c15b0fa47eb6c377a2fd9f7d33f0b5cdcea8c5804a0b1294388

memory/2104-121-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/2104-122-0x0000000071490000-0x00000000717E4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f6156b63d313f7247432a693de39daef
SHA1 bff890bf23551db49d04af57779630bea35356a9
SHA256 f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
SHA512 54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

memory/5068-137-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8bff967afef75e3f043eb745c014cef3
SHA1 f48d6cc2286bd6515dbd61c25e0d77102a3c4018
SHA256 c310ee727d6979dc0c432b8be2e0bd0be2d59ba464a34c99e026a644ffd74710
SHA512 de8f17001f59aa37632b49b0c3df65e877cfd893b4f724bacc457e6604d509bf35308853679fb860c6f118cebb5ab3ff7dc3141416634cbed63506bab6a82343

memory/4376-150-0x0000000070D10000-0x0000000070D5C000-memory.dmp

memory/4376-151-0x0000000071490000-0x00000000717E4000-memory.dmp

memory/4492-163-0x0000000006020000-0x0000000006374000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e984020dc6a71fc6a1b1efd1f1a6df5
SHA1 33b6ee2303ff0e28ec360e4eda66d5840708eefb
SHA256 fa382cf6a9b56bb8a4072077bae28c2e3a2cf681e55267d0961cc8f2d5625dda
SHA512 511ea23e70c9f9e96b03cf4c4ca4cef7a00785d0b112ac21be6abe23b454da213c3a1a608807c917152e1a1b97ac05f1d0992f8cbacd6af201b945bb00e93fc4

memory/4492-174-0x0000000006A50000-0x0000000006A9C000-memory.dmp

memory/4492-175-0x0000000070C30000-0x0000000070C7C000-memory.dmp

memory/4492-176-0x00000000713C0000-0x0000000071714000-memory.dmp

memory/4492-186-0x0000000007910000-0x00000000079B3000-memory.dmp

memory/4492-187-0x00000000064B0000-0x00000000064C1000-memory.dmp

memory/4492-188-0x00000000064F0000-0x0000000006504000-memory.dmp

memory/1500-199-0x00000000065B0000-0x0000000006904000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1e92b8100b01bbfcbad7263ba4af1585
SHA1 e7e0d5e0605ca1e6150c8f1d58cb6b7160d99f9e
SHA256 646fa7d9902acb63cf19a39702423cd06588b40f432ddaabe0988b3e8644f9dd
SHA512 abc55a78c11f635f919e47f8c66abb52606edaace5de7de6967c094d6e84839d8cb138cfc03eec61f979f57b1f16383dd23ca33394038b460ac7b9db3525bda7

memory/1500-201-0x0000000070C30000-0x0000000070C7C000-memory.dmp

memory/1500-202-0x0000000070DB0000-0x0000000071104000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3808-213-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-220-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5052-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5052-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/892-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/892-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-236-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/892-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3808-239-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-242-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-245-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-248-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3808-251-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:35

Reported

2024-05-09 19:38

Platform

win11-20240426-en

Max time kernel

10s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe

"C:\Users\Admin\AppData\Local\Temp\f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fd73a20b-9327-40a8-aea8-6ae64ee42b15.uuid.dumppage.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server12.dumppage.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server12.dumppage.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server12.dumppage.org tcp
US 52.111.229.43:443 tcp
BG 185.82.216.111:443 server12.dumppage.org tcp

Files

memory/3868-1-0x0000000003210000-0x0000000003610000-memory.dmp

memory/3868-2-0x0000000005030000-0x000000000591B000-memory.dmp

memory/3868-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4976-5-0x000000007401E000-0x000000007401F000-memory.dmp

memory/4976-6-0x00000000026C0000-0x00000000026F6000-memory.dmp

memory/4976-8-0x00000000052E0000-0x000000000590A000-memory.dmp

memory/4976-7-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/4976-9-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/4976-10-0x0000000005040000-0x0000000005062000-memory.dmp

memory/3868-4-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4976-11-0x0000000005910000-0x0000000005976000-memory.dmp

memory/4976-12-0x0000000005980000-0x00000000059E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n1ij2an2.f5g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-21-0x0000000005AE0000-0x0000000005E37000-memory.dmp

memory/4976-22-0x0000000005F00000-0x0000000005F1E000-memory.dmp

memory/4976-23-0x0000000005F90000-0x0000000005FDC000-memory.dmp

memory/4976-24-0x0000000006470000-0x00000000064B6000-memory.dmp

memory/4976-37-0x0000000007380000-0x0000000007424000-memory.dmp

memory/4976-36-0x0000000007360000-0x000000000737E000-memory.dmp

memory/4976-27-0x0000000070400000-0x0000000070757000-memory.dmp

memory/4976-38-0x0000000007AF0000-0x000000000816A000-memory.dmp

memory/4976-39-0x00000000074B0000-0x00000000074CA000-memory.dmp

memory/4976-40-0x00000000074F0000-0x00000000074FA000-memory.dmp

memory/4976-26-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/4976-25-0x0000000007300000-0x0000000007334000-memory.dmp

memory/4976-41-0x0000000007600000-0x0000000007696000-memory.dmp

memory/4976-42-0x0000000007510000-0x0000000007521000-memory.dmp

memory/4976-43-0x0000000007560000-0x000000000756E000-memory.dmp

memory/4976-44-0x0000000007570000-0x0000000007585000-memory.dmp

memory/4976-45-0x00000000075C0000-0x00000000075DA000-memory.dmp

memory/4976-46-0x00000000075E0000-0x00000000075E8000-memory.dmp

memory/4976-49-0x0000000074010000-0x00000000747C1000-memory.dmp

memory/3868-51-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2784-60-0x0000000005880000-0x0000000005BD7000-memory.dmp

memory/2784-62-0x0000000070430000-0x0000000070787000-memory.dmp

memory/2784-71-0x0000000007050000-0x00000000070F4000-memory.dmp

memory/2784-61-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2784-72-0x0000000007380000-0x0000000007391000-memory.dmp

memory/3868-74-0x0000000003210000-0x0000000003610000-memory.dmp

memory/3868-75-0x0000000005030000-0x000000000591B000-memory.dmp

memory/2716-73-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2784-76-0x00000000073D0000-0x00000000073E5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2076-85-0x0000000005500000-0x0000000005857000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b74f6da5c12db03c51dfa34d08c2a64f
SHA1 87410f6470fb59195a671199844e4860db849a8d
SHA256 99c93ad09ea3e02dee462d6d983bc606cb2e24767e598b9155ada96ffe5056a0
SHA512 5ad2b8dcef0d25f7095e693b4862fb8cf353cc170a61256823f2a41f39474a04f5f13af30a5aa775f3c180f74dc5b91b6f64999ac54b7b595bc37d4fa95dc703

memory/2076-90-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/2076-91-0x00000000704D0000-0x0000000070827000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0d67f63eb26a3839154567e62f35df91
SHA1 ce5d8178483c1c461c2beaea6e3316e78ecca5fe
SHA256 677b0135ba5eee59be5bc001e5889c4ed31a91c43a8821be2c2e239d0fc43924
SHA512 1369914cf96ac809c9d517ec4536bd616808802ceab445455b8ddd9cac2809be9f9f6f12024787b2bd5347ca0c5f7abbc429019519d46405d4c92d685d66c040

memory/5016-110-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/5016-111-0x0000000070400000-0x0000000070757000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f6156b63d313f7247432a693de39daef
SHA1 bff890bf23551db49d04af57779630bea35356a9
SHA256 f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620
SHA512 54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

memory/2716-124-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3868-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 948e9498a439f54f2df331073fbd0b3c
SHA1 b6b9936be1ab2e1021fa4995f2ab025c2f909bf6
SHA256 530ed7e4cbb93a1b465fde50376c7223c387839a97e83a523c1013fdbb1f0d68
SHA512 908d090e9364b89cadf4cdb913d9ff8b7cf7bf626254e95dcf47ef92ba949e69adb515d1cf3df80737fe58fc6f11041ed4b87683bf0ca7e513456e296374bb7f

memory/452-140-0x0000000070400000-0x0000000070757000-memory.dmp

memory/452-139-0x0000000070280000-0x00000000702CC000-memory.dmp

memory/4084-158-0x0000000006370000-0x00000000066C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 482678c58e537de220a3de8864f7b59a
SHA1 6ec6e9f59b6b4ef89981991caad712b613220e53
SHA256 5cef02036e555b54d023483bab43e3fa49aa0d4d2640aa12a6ed4a9ae1d7950f
SHA512 32b38732fe732020565a144a016c488429ebe0c98a82ff1758fb6c545585fe9bb05e7b56a992eb95cca8e130ba23a7230407b2e88864ec0d7e0840da64cb574e

memory/4084-160-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

memory/4084-171-0x0000000007B30000-0x0000000007BD4000-memory.dmp

memory/4084-162-0x0000000070340000-0x0000000070697000-memory.dmp

memory/4084-161-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/4084-172-0x0000000007E50000-0x0000000007E61000-memory.dmp

memory/4084-173-0x0000000006320000-0x0000000006335000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a94cb31f73f7766455a82898bf2fcf50
SHA1 fdd384ea3dacb040073e10769837f931882c8ffd
SHA256 3fea4b93919281e21c2cc50de01440fe00c15d4ab1ceaafe1e7debdd98a264ce
SHA512 d47fb82260f93f4899572a13d193aa0df7ca16b07d462a59f10e38f64c2461b09021427b2723d015b8d7e6905a0000ba89f97cc1576f6fc1a7240b1f4093d7fb

memory/1796-185-0x0000000070340000-0x0000000070697000-memory.dmp

memory/1796-184-0x00000000701A0000-0x00000000701EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4852-201-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2576-206-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2264-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2576-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4852-212-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2264-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4852-215-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2264-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4852-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-224-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-233-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4852-236-0x0000000000400000-0x0000000002ED5000-memory.dmp