Malware Analysis Report

2025-01-02 06:38

Sample ID 240515-3p3jlaab8y
Target da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd
SHA256 da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd

Threat Level: Known bad

The file da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:42

Reported

2024-05-15 23:44

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\system32\cmd.exe
PID 4552 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4552 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2948 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\rss\csrss.exe
PID 2948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\rss\csrss.exe
PID 2948 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe C:\Windows\rss\csrss.exe
PID 880 wrote to memory of 4332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 4332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 4332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 3696 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 452 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 880 wrote to memory of 3836 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2260 wrote to memory of 3200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3200 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3200 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 c49c4332-55bb-4fe8-b3d2-ed7ef5187c9e.uuid.statstraffic.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server6.statstraffic.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server6.statstraffic.org tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server6.statstraffic.org tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.98:443 www.bing.com tcp
US 8.8.8.8:53 98.107.17.2.in-addr.arpa udp
BG 185.82.216.104:443 server6.statstraffic.org tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/820-1-0x00000000047B0000-0x0000000004BAE000-memory.dmp

memory/820-2-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3256-4-0x000000007458E000-0x000000007458F000-memory.dmp

memory/3256-5-0x0000000002580000-0x00000000025B6000-memory.dmp

memory/3256-6-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3256-7-0x0000000004E80000-0x00000000054A8000-memory.dmp

memory/3256-8-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3256-9-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

memory/3256-10-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/3256-11-0x0000000005520000-0x0000000005586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3yde2y53.4n2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3256-21-0x0000000005590000-0x00000000058E4000-memory.dmp

memory/3256-22-0x0000000005B50000-0x0000000005B6E000-memory.dmp

memory/3256-23-0x0000000005C00000-0x0000000005C4C000-memory.dmp

memory/3256-24-0x00000000060A0000-0x00000000060E4000-memory.dmp

memory/3256-25-0x0000000006C70000-0x0000000006CE6000-memory.dmp

memory/3256-26-0x0000000007370000-0x00000000079EA000-memory.dmp

memory/3256-27-0x0000000006D10000-0x0000000006D2A000-memory.dmp

memory/820-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3256-29-0x00000000070D0000-0x0000000007102000-memory.dmp

memory/3256-30-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3256-32-0x0000000070B60000-0x0000000070EB4000-memory.dmp

memory/3256-31-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3256-43-0x0000000007130000-0x00000000071D3000-memory.dmp

memory/3256-42-0x0000000007110000-0x000000000712E000-memory.dmp

memory/3256-44-0x0000000007220000-0x000000000722A000-memory.dmp

memory/3256-45-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3256-46-0x00000000079F0000-0x0000000007A86000-memory.dmp

memory/3256-47-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/3256-48-0x0000000007250000-0x0000000007261000-memory.dmp

memory/3256-49-0x00000000072A0000-0x00000000072AE000-memory.dmp

memory/3256-50-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/3256-51-0x00000000072F0000-0x000000000730A000-memory.dmp

memory/3256-52-0x00000000072E0000-0x00000000072E8000-memory.dmp

memory/3256-55-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/820-58-0x00000000047B0000-0x0000000004BAE000-memory.dmp

memory/820-59-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/820-57-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3020-69-0x00000000059D0000-0x0000000005D24000-memory.dmp

memory/820-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3020-71-0x0000000070420000-0x000000007046C000-memory.dmp

memory/3020-72-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/3020-82-0x00000000071E0000-0x0000000007283000-memory.dmp

memory/3020-83-0x00000000074F0000-0x0000000007501000-memory.dmp

memory/3020-84-0x0000000007540000-0x0000000007554000-memory.dmp

memory/2948-87-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b8014e7b0060284c4507656fadd7483c
SHA1 94006ff26776f6deb607a95888b6a92edc71dd93
SHA256 648b5bc207d47bca711304c9e62f95063315ddd8fc88c338eba62b258242e3e2
SHA512 6bd24a513cfa9f0dcc24acac0bbfdb289bb1a2353b0afcf50f6ef7175286f0c42253bb0016f8ec7d4a6f789fc30bb45f4046bfe9215675825fe884c3fb612437

memory/2364-100-0x0000000070BA0000-0x0000000070EF4000-memory.dmp

memory/2364-99-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1476-121-0x0000000005800000-0x0000000005B54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d4ba82f2a99f7866a96c9341b8c090d
SHA1 c3931af40b53fbb3048fc70ecc863a877d5d4cc8
SHA256 c7f50c51076e5e88e1f60b5603fdb743c49e0cad89bdf8725de13dc91db1bf5e
SHA512 526336bf70db5fcb3ebc2073a4b756058c596985f33e8cd39dabd9649116a9ab6a93dc2294e3a6187ebe88b97770c5209d5ff01b91061ab89c8d70dc39f30ede

memory/1476-123-0x0000000070420000-0x000000007046C000-memory.dmp

memory/1476-124-0x00000000705A0000-0x00000000708F4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d0302406914692d832650ed902098ece
SHA1 de252f27d2eb7566fc7ff9e05c2c7884042c7171
SHA256 da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd
SHA512 408fba0900e843598348b6101b14d4e2b61f7c4ee9b3665b3175754ca931c463e32edfdae2d4f40e35408b1dd6fd7bd97ee717ab46b250eb7df86217e752905d

memory/2948-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2acd198a2da6e4fced8c1bd70d7266aa
SHA1 b8042e080f6baf9054235829511038cd34b09628
SHA256 ba947fbf46dc30d2ef046f61feb375f675432785e8bb5f9501c32d84fe2fa181
SHA512 9725999b19c2c9ee88196248eb97281df70474a2e9ff667de3754a49f3b47269eee534388a481331fcf046e34a7f8245bbd354c058f15116d5dc73cd036314e0

memory/4332-152-0x0000000070420000-0x000000007046C000-memory.dmp

memory/4332-153-0x00000000705A0000-0x00000000708F4000-memory.dmp

memory/880-163-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3696-165-0x0000000005DF0000-0x0000000006144000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51ee0b860ebb48295ae8ba6be21c5b39
SHA1 fd61776387f291b6e4b8ad216f58d0c6e2a4d748
SHA256 1796f0740aae3041bbe9fdf70139faf99c8fad4af84bab7d2b4bfb02411f0b3a
SHA512 669a1d089f7405f37ca5fdd046d2e7a0d06bc60bce93bb2f38f997b337382e83ed99fad1c78fb55f155f32a7ec85fab27bd99f8799c03e9174e7b6dd95dfcdec

memory/3696-176-0x0000000006500000-0x000000000654C000-memory.dmp

memory/3696-177-0x0000000070340000-0x000000007038C000-memory.dmp

memory/3696-178-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/3696-188-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/3696-189-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/3696-191-0x00000000062B0000-0x00000000062C4000-memory.dmp

memory/452-202-0x0000000006250000-0x00000000065A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba59c94753b16e59a340e5ce3f81e21b
SHA1 4d6c8ee23e9fbbb812f87c8c8fad60bca5f2e848
SHA256 7f5b81b1b510fe3a1de6fd9625af1fddbbdc306f998f2e26666478e98b21bce1
SHA512 243db0e6d5081f25c7db30f9a1a1852c6ca11ea6c3b592a570d06e120b9b7a1802890a7e8e9c1dda3b7b8f638329c02f745d84cb70b339f0bf955ba9cb28862c

memory/452-204-0x0000000070340000-0x000000007038C000-memory.dmp

memory/452-205-0x00000000704C0000-0x0000000070814000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/880-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2260-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3228-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2260-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3228-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3228-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/880-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/880-256-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:42

Reported

2024-05-15 23:44

Platform

win11-20240426-en

Max time kernel

5s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe

"C:\Users\Admin\AppData\Local\Temp\da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cec2d279-3219-49c6-a5de-dd06f3bbf1d7.uuid.statstraffic.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server13.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.104:443 server13.statstraffic.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server13.statstraffic.org tcp
BG 185.82.216.104:443 server13.statstraffic.org tcp

Files

memory/1488-1-0x0000000004850000-0x0000000004C4E000-memory.dmp

memory/1488-2-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/1488-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2580-4-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2580-5-0x00000000049E0000-0x0000000004A16000-memory.dmp

memory/2580-7-0x0000000005200000-0x000000000582A000-memory.dmp

memory/2580-6-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/2580-8-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/2580-9-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/2580-10-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/2580-11-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beiuzvh2.qyh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2580-20-0x0000000005A50000-0x0000000005DA7000-memory.dmp

memory/2580-21-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/2580-22-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/2580-23-0x00000000063D0000-0x0000000006416000-memory.dmp

memory/2580-27-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/2580-37-0x00000000072C0000-0x0000000007364000-memory.dmp

memory/2580-38-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/2580-36-0x00000000072A0000-0x00000000072BE000-memory.dmp

memory/2580-40-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/2580-39-0x0000000007A30000-0x00000000080AA000-memory.dmp

memory/2580-41-0x0000000007430000-0x000000000743A000-memory.dmp

memory/2580-26-0x00000000707A0000-0x0000000070AF7000-memory.dmp

memory/2580-25-0x0000000070620000-0x000000007066C000-memory.dmp

memory/2580-24-0x0000000007260000-0x0000000007294000-memory.dmp

memory/2580-42-0x0000000007540000-0x00000000075D6000-memory.dmp

memory/2580-43-0x0000000007450000-0x0000000007461000-memory.dmp

memory/2580-44-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/2580-45-0x00000000074B0000-0x00000000074C5000-memory.dmp

memory/2580-46-0x0000000007500000-0x000000000751A000-memory.dmp

memory/2580-47-0x0000000007520000-0x0000000007528000-memory.dmp

memory/2580-50-0x00000000743B0000-0x0000000074B61000-memory.dmp

memory/1488-53-0x0000000004850000-0x0000000004C4E000-memory.dmp

memory/1488-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3704-61-0x0000000006110000-0x0000000006467000-memory.dmp

memory/1488-63-0x0000000004C50000-0x000000000553B000-memory.dmp

memory/3704-64-0x0000000070620000-0x000000007066C000-memory.dmp

memory/3704-74-0x00000000077A0000-0x0000000007844000-memory.dmp

memory/3704-65-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/3704-75-0x0000000007AF0000-0x0000000007B01000-memory.dmp

memory/3704-76-0x0000000007B40000-0x0000000007B55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1eda22e1b5acdf3b1a034abb4502b21d
SHA1 06a232bceedc82fb3c516b339eeece72333b702b
SHA256 a543c397986e7ce504fbf62d15d2db57c68adadd24935e7ff0345e7e21ae242b
SHA512 128b8ef5f222d7233dc6c9f62eea2128793722a8378d652f5134e5c9cda941e7513cc788f45c6cc26283c7dc981000e9715bf70a5d3ab95ea8cdf002258c57d3

memory/3868-88-0x0000000005B80000-0x0000000005ED7000-memory.dmp

memory/3868-91-0x00000000707C0000-0x0000000070B17000-memory.dmp

memory/3868-90-0x0000000070620000-0x000000007066C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd104e9ac43ab2ca05b9967b2aac3894
SHA1 6af1c576ea6b97215523da1f562b53a5820d194b
SHA256 ed272cb630125da5567a1ebb503ece56fcc22644eeb5d63e44144d02bea167a2
SHA512 6f1888b3f841864c0167926596c0fe035509f12916aafa18d853f01433ae3c56890a9272e9120d5d10725a4225eb31e7572612978ed27251ae229c4f64489767

memory/2984-109-0x0000000005F10000-0x0000000006267000-memory.dmp

memory/2984-111-0x0000000070620000-0x000000007066C000-memory.dmp

memory/2984-112-0x0000000070F60000-0x00000000712B7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 d0302406914692d832650ed902098ece
SHA1 de252f27d2eb7566fc7ff9e05c2c7884042c7171
SHA256 da576a0c45038fcd66e8e1f9ed50e9edc0d26eb3868decf4e9bbdbd44bca19cd
SHA512 408fba0900e843598348b6101b14d4e2b61f7c4ee9b3665b3175754ca931c463e32edfdae2d4f40e35408b1dd6fd7bd97ee717ab46b250eb7df86217e752905d

memory/3856-125-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1488-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7389481658faf7810ac9b6ea6eaa033a
SHA1 3e5c0e85fe6d2586bb88d682b1c42c230eac6d79
SHA256 41075a549faf72ffc190f6ee6e84ea2eb022b9d9956523b09e149eb1b30429b2
SHA512 e089d998b1bd85a42bd1f2da6cf8c59730a1f166019285ca825ff323f925972d3f454d2ee237caaf1b89d8d2681d92a89fbfe4a48d2a0f5e50a5479225b2ab51

memory/4752-139-0x0000000070620000-0x000000007066C000-memory.dmp

memory/4752-140-0x0000000070870000-0x0000000070BC7000-memory.dmp

memory/2776-158-0x0000000006120000-0x0000000006477000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ba2c0b87200021d2acc3e839a1370af3
SHA1 a04ca38b743dae59746582aaf8787ff7b7dfa2e3
SHA256 f3f94cfd1ead23cecd037f0d0143ca10de913923465ab840f69a18f402389710
SHA512 c1a443be3a903649bf60dfb80c9f7fea2d19ba9412d6b5bf82fbf9122fc3410694f9417ea18813a91cfe393d3154f97b741382835a696eb9dafefff0bbcc2d8c

memory/2776-160-0x0000000006C80000-0x0000000006CCC000-memory.dmp

memory/2776-161-0x0000000070540000-0x000000007058C000-memory.dmp

memory/2776-162-0x0000000070E80000-0x00000000711D7000-memory.dmp

memory/2776-171-0x00000000079A0000-0x0000000007A44000-memory.dmp

memory/2776-172-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

memory/2776-173-0x0000000006500000-0x0000000006515000-memory.dmp

memory/2296-175-0x00000000056F0000-0x0000000005A47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 54574629ccdf5d8edcf1f363d73142bf
SHA1 f2cd5770252e4ff8149b22235a0e69039b46abc2
SHA256 3fb2516f3ea5725d117021b1b4908253007e59b7e4eaaaf5d56f017c9dea5e87
SHA512 96881e126649bc86dce1bc10bdc0d60ed24496855c527f3439ee703e6172ee0853d4ba3c22152eabfe1235068446ae1e8fd35106a0a6c198b119157833616029

memory/2296-186-0x0000000070790000-0x0000000070AE7000-memory.dmp

memory/2296-185-0x0000000070540000-0x000000007058C000-memory.dmp

memory/1012-196-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4080-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3336-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4080-210-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1012-212-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3336-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3336-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3336-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1012-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1012-243-0x0000000000400000-0x0000000002B0B000-memory.dmp