Malware Analysis Report

2025-01-02 06:31

Sample ID 240515-3kkszshh3t
Target 57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d
SHA256 57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d

Threat Level: Known bad

The file 57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:34

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:34

Reported

2024-05-15 23:36

Platform

win11-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4972 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2588 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 2588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 2588 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 2700 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 944 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2700 wrote to memory of 4952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4364 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3944 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3944 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3944 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2d71dcef-406f-4598-9adb-95087e063c78.uuid.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server1.statscreate.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server1.statscreate.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server1.statscreate.org tcp

Files

memory/3968-1-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3968-2-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3968-3-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1096-4-0x00000000030C0000-0x00000000030F6000-memory.dmp

memory/1096-5-0x000000007499E000-0x000000007499F000-memory.dmp

memory/1096-6-0x0000000005910000-0x0000000005F3A000-memory.dmp

memory/1096-7-0x0000000074990000-0x0000000075141000-memory.dmp

memory/1096-8-0x0000000074990000-0x0000000075141000-memory.dmp

memory/1096-9-0x00000000058E0000-0x0000000005902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctspgpu2.qgr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1096-18-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/1096-19-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/1096-20-0x0000000006230000-0x0000000006587000-memory.dmp

memory/1096-21-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/1096-22-0x00000000065D0000-0x000000000661C000-memory.dmp

memory/1096-23-0x0000000006B40000-0x0000000006B86000-memory.dmp

memory/1096-25-0x00000000079B0000-0x00000000079E4000-memory.dmp

memory/1096-26-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/1096-36-0x00000000079F0000-0x0000000007A0E000-memory.dmp

memory/1096-37-0x0000000007A10000-0x0000000007AB4000-memory.dmp

memory/1096-27-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/1096-39-0x0000000007B40000-0x0000000007B5A000-memory.dmp

memory/1096-38-0x0000000008180000-0x00000000087FA000-memory.dmp

memory/1096-40-0x0000000007B80000-0x0000000007B8A000-memory.dmp

memory/1096-41-0x0000000074990000-0x0000000075141000-memory.dmp

memory/3968-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1096-42-0x0000000074990000-0x0000000075141000-memory.dmp

memory/1096-43-0x0000000007C90000-0x0000000007D26000-memory.dmp

memory/1096-44-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/1096-45-0x0000000007BF0000-0x0000000007BFE000-memory.dmp

memory/1096-46-0x0000000007C00000-0x0000000007C15000-memory.dmp

memory/1096-47-0x0000000007C50000-0x0000000007C6A000-memory.dmp

memory/1096-48-0x0000000007C40000-0x0000000007C48000-memory.dmp

memory/1096-51-0x0000000074990000-0x0000000075141000-memory.dmp

memory/3968-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2744-62-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/2744-63-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/2744-72-0x0000000007720000-0x00000000077C4000-memory.dmp

memory/2744-73-0x0000000007A30000-0x0000000007A41000-memory.dmp

memory/2744-74-0x0000000007A80000-0x0000000007A95000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4880-87-0x0000000005D50000-0x00000000060A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 673635dc4a5d6139422834fd608f4f70
SHA1 33862ad196e4814366c4cc39b7151cb05044396a
SHA256 04db3735ff1ddbd1398591c24ed362445c651e103b2fe0cadca2a6611dab0963
SHA512 18c55e3cd7323384d2e865369ac50c27964934259ea658f46f02f2f4658488f7e13ef7a2028cca906520921a93b99604644ca8b3bba868945b3ec54ee8386f81

memory/4880-89-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/4880-90-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/3840-108-0x0000000006040000-0x0000000006397000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6b66c12ff8275b44eea33faa359b47d2
SHA1 31e76206dcc52b0b081ae8220f435f0b887871da
SHA256 affc310fce2a3c6c18d0d11d8aa2968e8640807856d01c5c03779aa60a69771f
SHA512 756479a84ffbe78782806f662d037ece44383b14ff56e17007b8232fc2dc154a694f513f21e18318bfad1a646bde9c514c7c1cac8fecbe348e2eb9f401716a2d

memory/3840-110-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/3840-111-0x0000000071540000-0x0000000071897000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6505a05ece25ebac5201d319aea07ebc
SHA1 57662fe26bee914bd9bff33a86b4e8d53cb0b34b
SHA256 57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d
SHA512 f9ea4516858597eeec2d80d8cbfa3c56fbc84c16df0c875d63ad7bd3a8809766b11acf229a312323ecf5b156e6d951b796c3d4903970bccc1fae5cf8d079a690

memory/2588-124-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6bc170fbceef5ac23bb38ea2478dabe4
SHA1 2c08dfe2ca10f03f9b6e8dcd647e6776fe2f2af5
SHA256 ddd72003ceaff3e7071bac9dfd27df100b842fc897a7648b5d8c5698fbf416a0
SHA512 4beafdf820a42c450ed004a1fe3efb833df5a06d197c2a9e174c487b4af03400d6079271112b743b5f34d582f5b8cd5e9995f267bbe0a3bc29bb66daccfacffe

memory/1632-139-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/1632-138-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/944-158-0x0000000005B90000-0x0000000005EE7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56e73f28af1ad9ede5f2ec8fea704754
SHA1 e0751bca9451412f534f5744dd434fcd6e7a8182
SHA256 7913cac4c8fac7c69dbc253d5a1d59f85477ba9719d0c4502f85fc28f668b563
SHA512 1ed255cb823280b65049b3c371a3773cd80742219fe17b179cab288737fa2c05bf8ef35040c02e372fcb378d013acbea9bff8ef18f6d4d7372a6dfa7465366ba

memory/944-160-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/944-161-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/944-162-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

memory/944-171-0x0000000007210000-0x00000000072B4000-memory.dmp

memory/944-172-0x0000000007550000-0x0000000007561000-memory.dmp

memory/944-173-0x00000000059F0000-0x0000000005A05000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d1b4385b505a26ea2130583a950ba89
SHA1 a806439bd57d5af5b4feb548104e62c93231c603
SHA256 f5e6110e33ba9800318e10821650e2d09f820365e6fa005279e598cd428f8315
SHA512 b8576340f8c7d287242b732853e48ed2320a01d7d95c53c2eaef031b80d9a7bf5179c4c524fa7c5793976aeb33f8b6f80ec3110894715f7406368988fae06dd9

memory/892-184-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/892-185-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2700-200-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4364-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1912-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2700-208-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1912-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2700-213-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1912-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2700-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2700-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:34

Reported

2024-05-15 23:37

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3020 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\system32\cmd.exe
PID 1488 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4584 wrote to memory of 5064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1488 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe C:\Windows\rss\csrss.exe
PID 2544 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 1116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe

"C:\Users\Admin\AppData\Local\Temp\57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 5cae2c64-412f-4a2c-a157-de36fc3f8732.uuid.statscreate.org udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server3.statscreate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server3.statscreate.org tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp

Files

memory/3020-1-0x0000000004970000-0x0000000004D6E000-memory.dmp

memory/3020-2-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/3020-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3888-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

memory/3888-5-0x0000000003210000-0x0000000003246000-memory.dmp

memory/3888-6-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/3888-7-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/3888-8-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/3888-9-0x0000000005920000-0x0000000005942000-memory.dmp

memory/3888-10-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/3888-11-0x00000000060D0000-0x0000000006136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wmbknbi.mjn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3888-17-0x0000000006270000-0x00000000065C4000-memory.dmp

memory/3020-18-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3888-23-0x0000000006820000-0x000000000683E000-memory.dmp

memory/3888-24-0x00000000068F0000-0x000000000693C000-memory.dmp

memory/3888-25-0x0000000006E80000-0x0000000006EC4000-memory.dmp

memory/3888-26-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/3888-27-0x0000000007B40000-0x0000000007BB6000-memory.dmp

memory/3888-29-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/3888-28-0x00000000082C0000-0x000000000893A000-memory.dmp

memory/3020-30-0x0000000004970000-0x0000000004D6E000-memory.dmp

memory/3888-31-0x0000000007E20000-0x0000000007E52000-memory.dmp

memory/3888-33-0x00000000709D0000-0x0000000070D24000-memory.dmp

memory/3888-32-0x0000000070290000-0x00000000702DC000-memory.dmp

memory/3888-43-0x0000000007E00000-0x0000000007E1E000-memory.dmp

memory/3888-44-0x0000000007E60000-0x0000000007F03000-memory.dmp

memory/3888-45-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/3888-46-0x0000000007F50000-0x0000000007F5A000-memory.dmp

memory/3888-47-0x0000000008020000-0x00000000080B6000-memory.dmp

memory/3888-48-0x0000000007F80000-0x0000000007F91000-memory.dmp

memory/3888-49-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

memory/3888-50-0x0000000007FD0000-0x0000000007FE4000-memory.dmp

memory/3888-51-0x00000000080C0000-0x00000000080DA000-memory.dmp

memory/3888-52-0x0000000008000000-0x0000000008008000-memory.dmp

memory/3020-54-0x0000000004D70000-0x000000000565B000-memory.dmp

memory/3020-53-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3888-57-0x00000000743F0000-0x0000000074BA0000-memory.dmp

memory/3020-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3020-58-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1784-66-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/1784-71-0x0000000006110000-0x000000000615C000-memory.dmp

memory/1784-72-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/1784-73-0x0000000070B30000-0x0000000070E84000-memory.dmp

memory/1784-83-0x0000000006DB0000-0x0000000006E53000-memory.dmp

memory/1784-84-0x00000000070C0000-0x00000000070D1000-memory.dmp

memory/1488-85-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1784-86-0x0000000007110000-0x0000000007124000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/524-99-0x00000000058F0000-0x0000000005C44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 602cfedd4832c6762e542584d7a5fe36
SHA1 577dddc0ab2e7da97957649436bd7f24061320d4
SHA256 05ee009ae5dc1cc61c8a0df0b7af767d245bc0ea37ec86b7bb1f2060eb0fccd6
SHA512 e4aeb3a18d3e9e3b4b2e7a15cba65a0ef62108276ad228178476163b3b3aad50ce3c10ed3c1f20a6c5cb18e21c775ebc5924c4f00162da1a2472cf323fefc5ec

memory/524-101-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/524-102-0x0000000070AB0000-0x0000000070E04000-memory.dmp

memory/1488-113-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1452-123-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0fe44e1059c745bb4a6929a4df0ddfd5
SHA1 96f171eba79250ecc50d275241c914ffb80802d2
SHA256 3272f7fb936e52a633c77c7b6909a7f9023169b9a85c2b170e1e53494eb09145
SHA512 2df39e2f2697c559a0fb027f7adfdde3f89560baf1fe34ce31bbc5b4de094e81343b916b9c828cf84f9e61a5ea6baff90d422c156fb3acebde2a7af62a0429b6

memory/1452-125-0x0000000070390000-0x00000000703DC000-memory.dmp

memory/1452-126-0x0000000070B50000-0x0000000070EA4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6505a05ece25ebac5201d319aea07ebc
SHA1 57662fe26bee914bd9bff33a86b4e8d53cb0b34b
SHA256 57e0490d129d19832c1f5f752be36f627269b5e71d545776a7f5a934c9a5245d
SHA512 f9ea4516858597eeec2d80d8cbfa3c56fbc84c16df0c875d63ad7bd3a8809766b11acf229a312323ecf5b156e6d951b796c3d4903970bccc1fae5cf8d079a690

memory/1488-142-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2544-145-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1116-151-0x0000000005D40000-0x0000000006094000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7a4aaec81a5786c8d079f860b54983f
SHA1 d2ae7216bcac547ec751c8715d5abb032ef0ea21
SHA256 85cb4fcb8968c9cb61292d193b0829c35261ba65b5e8a8b14db75e504c328eab
SHA512 ce4ed77e6879bd51e64485b0a9762dffe91ec68c4ca75511858929b94046c5df6198b49d847553c4410c33990fe22901f398f83fc48e1f55df224cabe6b06e8b

memory/1116-157-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/1116-158-0x00000000702F0000-0x000000007033C000-memory.dmp

memory/1116-159-0x0000000070A90000-0x0000000070DE4000-memory.dmp

memory/1116-169-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/1116-170-0x0000000007880000-0x0000000007891000-memory.dmp

memory/1116-172-0x0000000006220000-0x0000000006234000-memory.dmp

memory/2452-183-0x0000000005C50000-0x0000000005FA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0f768f1ddc9ab0760c0c659da3579c0b
SHA1 3341ab937555d08b4546a1655d0e2bd2af7f2759
SHA256 e726ebfd68af83d8929a57acae59a008ac32732e231d0b55779dc921934f07b5
SHA512 b238f1b8de783ae35f47290b343ee9a1db90ce79590b14b2ed693efe849e50c6c7f18fc84153d7a620953a2ff2566fe7637f976ac1a37182beaf9ddf932acf01

memory/2452-185-0x0000000006560000-0x00000000065AC000-memory.dmp

memory/2452-186-0x0000000070210000-0x000000007025C000-memory.dmp

memory/2452-187-0x0000000070390000-0x00000000706E4000-memory.dmp

memory/2452-197-0x0000000007420000-0x00000000074C3000-memory.dmp

memory/2452-198-0x0000000007700000-0x0000000007711000-memory.dmp

memory/2452-200-0x0000000005FD0000-0x0000000005FE4000-memory.dmp

memory/2544-199-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2420-207-0x0000000005690000-0x00000000059E4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18db08f00de28c36f0f9d5f68e1ccf11
SHA1 e6ddb46d1fca24ce7b9c589fbcbd53a196e36610
SHA256 f43bb2f50be88cf636d695b996b1b80a669102a5d5bd19ec34d0bda6804e9bec
SHA512 9601b00d4a39b5db361ecf8be5bf512c4fd90edc5ea13e038dd4a6b6e639aeb4dd63d1df68df67c65798e332f16703b85bbc69248f0d490a6ff1eaab9637930a

memory/2420-213-0x0000000070210000-0x000000007025C000-memory.dmp

memory/2420-214-0x00000000709B0000-0x0000000070D04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2544-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3136-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3136-240-0x0000000000400000-0x00000000008DF000-memory.dmp