Malware Analysis Report

2025-01-02 06:33

Sample ID 240515-3pahtaab5t
Target 9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090
SHA256 9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090

Threat Level: Known bad

The file 9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:40

Reported

2024-05-15 23:43

Platform

win10v2004-20240426-en

Max time kernel

8s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 c37a6c47-b5dd-46f4-8afc-9bc580bc287b.uuid.alldatadump.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server14.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp

Files

memory/3884-1-0x00000000047A0000-0x0000000004BA4000-memory.dmp

memory/3884-2-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/3884-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2396-4-0x00000000745FE000-0x00000000745FF000-memory.dmp

memory/2396-5-0x00000000047D0000-0x0000000004806000-memory.dmp

memory/2396-7-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2396-6-0x0000000004E40000-0x0000000005468000-memory.dmp

memory/2396-8-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2396-9-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

memory/2396-11-0x0000000005710000-0x0000000005776000-memory.dmp

memory/2396-10-0x00000000056A0000-0x0000000005706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lgupjcb.r11.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2396-21-0x0000000005780000-0x0000000005AD4000-memory.dmp

memory/2396-22-0x0000000005D60000-0x0000000005D7E000-memory.dmp

memory/2396-23-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/2396-24-0x0000000006320000-0x0000000006364000-memory.dmp

memory/2396-25-0x00000000070A0000-0x0000000007116000-memory.dmp

memory/2396-26-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/2396-27-0x0000000007140000-0x000000000715A000-memory.dmp

memory/2396-29-0x00000000072F0000-0x0000000007322000-memory.dmp

memory/2396-30-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2396-42-0x0000000007350000-0x00000000073F3000-memory.dmp

memory/3884-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-43-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2396-41-0x0000000007330000-0x000000000734E000-memory.dmp

memory/2396-44-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/2396-31-0x0000000070BF0000-0x0000000070F44000-memory.dmp

memory/2396-45-0x0000000007440000-0x000000000744A000-memory.dmp

memory/2396-46-0x0000000007550000-0x00000000075E6000-memory.dmp

memory/2396-47-0x0000000007450000-0x0000000007461000-memory.dmp

memory/2396-48-0x0000000007490000-0x000000000749E000-memory.dmp

memory/2396-49-0x00000000074B0000-0x00000000074C4000-memory.dmp

memory/2396-50-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/2396-51-0x00000000074E0000-0x00000000074E8000-memory.dmp

memory/2396-54-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3964-62-0x0000000005990000-0x0000000005CE4000-memory.dmp

memory/3884-66-0x00000000047A0000-0x0000000004BA4000-memory.dmp

memory/3884-67-0x0000000004BB0000-0x000000000549B000-memory.dmp

memory/3964-69-0x0000000070C30000-0x0000000070F84000-memory.dmp

memory/3964-79-0x0000000007240000-0x00000000072E3000-memory.dmp

memory/3964-68-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/3964-80-0x0000000007540000-0x0000000007551000-memory.dmp

memory/3964-81-0x0000000007590000-0x00000000075A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3556-90-0x0000000005BC0000-0x0000000005F14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8fddd434997e2c20424fe2f654da2a15
SHA1 1b42611db130a35297b9adc30feacf5410d40bd6
SHA256 5aaa23aa0d4f8376351bb6013187ef6f156376047117d97691684a3f7ce84c48
SHA512 2a0e1275079f4959d5603e88ad9a2faff5442c6e7efd8263a028eaf5ce173a04c3c25ab5e9b3a9f939004eabf6093e732cc614d46b8a2a3e17d950990de3010e

memory/3884-97-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3884-96-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3556-99-0x0000000070C60000-0x0000000070FB4000-memory.dmp

memory/3556-98-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/1364-115-0x0000000005F10000-0x0000000006264000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 164405f76731e6fa82dc3355aebef9b1
SHA1 b2bf6429957182021be820bf702f492c879fda97
SHA256 ab7f9e26bf325d465b2adad778293910d895f57713ceaa5dcb9aa41193db6a09
SHA512 4a604c2863ce342f5bd7033701e837031a8eeb14af78d4a6fd19b6f4e3425eeef0eeba81195b774c12bb45b573a7fc0ffb94f33bbfaa6ac3bcd3923063cfc8ba

memory/1364-121-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/1364-122-0x0000000070C10000-0x0000000070F64000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 89335b6e9d6f149826edfd7f7c8a4d29
SHA1 22e15ef26ca3d25e465af79c3ecf87d395918a08
SHA256 9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090
SHA512 deaecd1159d106849e80b669331c69d42a0cf8121a9409af504769c9343abc73153bf430ea6cbfb833eaf1374898939549e39712dec7b104a50f8fe6c9bcbb3d

memory/3872-138-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ab02a779659559282e137a82bb3c829e
SHA1 eec74b832ed4ef8737d98ed22d33635e3eccae6a
SHA256 b64403d7dae336739c6a9a589ce92af3090d27b5cb82c0abb51c2fe34801a026
SHA512 4b7122d3e024d3f7c4622534be51188e4573b784790a99490d76587dc4c4012758f8a83ad70244c982dba3cb53641f38d16ef3f4b161261ca88b66b206547a26

memory/752-149-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/752-150-0x0000000070C10000-0x0000000070F64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8ff6a432dd9f27450242aff5c4c34aa
SHA1 052dd523e1ae24aa4ad246c4ba74e373ac79af4d
SHA256 2c09f3c97c469d89f770dd3dfdb37d46ea9ed60d319b867e610a7f7a404f436e
SHA512 2a1a9bb280dabdcc7297ec4fa13c630fbab808983c52f92a5d827b5f09caa673634a0e48b57ccb309e006bebe0c8b9599be283a214fc74b2fd0b6ccaec651ddf

memory/4380-170-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

memory/4380-172-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/4380-173-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/4380-184-0x0000000007630000-0x00000000076D3000-memory.dmp

memory/4380-174-0x00000000707B0000-0x0000000070B04000-memory.dmp

memory/4380-185-0x0000000007940000-0x0000000007951000-memory.dmp

memory/4380-186-0x00000000061A0000-0x00000000061B4000-memory.dmp

memory/864-198-0x0000000005830000-0x0000000005B84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 594dbd9801f00d0753584c0a202f415f
SHA1 07a860923eabdf80821f9b872554cad102f5b982
SHA256 8791b83ead81f92c25d4e6f840b3e8a0b91b546c747c501b39f406134574fc52
SHA512 57c2c6b4b68a9e0b36548430fe658020a77d52b508b6d27eefed19fa755915f84faaa2595427531352fc3672a36b97d2c422967b4bd9798a2b7074f4b26d020a

memory/864-201-0x0000000070B60000-0x0000000070EB4000-memory.dmp

memory/864-200-0x00000000703B0000-0x00000000703FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/336-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5092-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4908-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5092-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/336-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4908-234-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/336-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4908-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/336-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-253-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-258-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-262-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-265-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/336-269-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:40

Reported

2024-05-15 23:43

Platform

win11-20240419-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3448 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2208 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\rss\csrss.exe
PID 2208 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\rss\csrss.exe
PID 2208 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe C:\Windows\rss\csrss.exe
PID 4792 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 3608 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4792 wrote to memory of 2188 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4792 wrote to memory of 2188 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 904 wrote to memory of 3548 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 3548 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 3548 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3548 wrote to memory of 4820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe

"C:\Users\Admin\AppData\Local\Temp\9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5015f526-b0d5-4465-aea9-c817980f3861.uuid.alldatadump.org udp
US 8.8.8.8:53 server15.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server15.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server15.alldatadump.org tcp

Files

memory/1724-1-0x0000000004A00000-0x0000000004E02000-memory.dmp

memory/1724-2-0x0000000004E10000-0x00000000056FB000-memory.dmp

memory/1724-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/328-4-0x00000000741DE000-0x00000000741DF000-memory.dmp

memory/328-5-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/328-6-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/328-7-0x0000000005020000-0x000000000564A000-memory.dmp

memory/328-8-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

memory/328-9-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/328-10-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtqyb1z4.rsg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/328-19-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/328-20-0x0000000005980000-0x0000000005CD7000-memory.dmp

memory/328-21-0x0000000005D40000-0x0000000005D5E000-memory.dmp

memory/328-22-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/328-23-0x00000000062D0000-0x0000000006316000-memory.dmp

memory/328-25-0x0000000007180000-0x00000000071B4000-memory.dmp

memory/328-27-0x00000000705C0000-0x0000000070917000-memory.dmp

memory/328-26-0x0000000070440000-0x000000007048C000-memory.dmp

memory/328-37-0x00000000071E0000-0x0000000007284000-memory.dmp

memory/328-36-0x00000000071C0000-0x00000000071DE000-memory.dmp

memory/328-38-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/1724-24-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/328-39-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/328-41-0x0000000007310000-0x000000000732A000-memory.dmp

memory/328-40-0x0000000007950000-0x0000000007FCA000-memory.dmp

memory/328-42-0x0000000007350000-0x000000000735A000-memory.dmp

memory/328-43-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/328-44-0x0000000007380000-0x0000000007391000-memory.dmp

memory/328-45-0x00000000073C0000-0x00000000073CE000-memory.dmp

memory/328-46-0x00000000073D0000-0x00000000073E5000-memory.dmp

memory/328-47-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/328-48-0x00000000074B0000-0x00000000074B8000-memory.dmp

memory/328-51-0x00000000741D0000-0x0000000074981000-memory.dmp

memory/1724-53-0x0000000004A00000-0x0000000004E02000-memory.dmp

memory/1724-54-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1724-55-0x0000000004E10000-0x00000000056FB000-memory.dmp

memory/1724-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5076-62-0x0000000005990000-0x0000000005CE7000-memory.dmp

memory/5076-66-0x0000000070440000-0x000000007048C000-memory.dmp

memory/5076-67-0x0000000070650000-0x00000000709A7000-memory.dmp

memory/5076-76-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/5076-78-0x0000000007400000-0x0000000007411000-memory.dmp

memory/2208-77-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5076-79-0x0000000007450000-0x0000000007465000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b180bf96a3aed2c0decfcfe3a74d557b
SHA1 9c0d12325a20a0a0831202de1f0a5583ae37f6cd
SHA256 8562658e4104b5bb22d19b4c7f4e3b21953a030fa6d42fa26a1eba249704c131
SHA512 e5e34a4e7abaa2c9ad8ccd9315500ca94269c77f9db642c7c89555b7375efa6df824bd873e22b86f5aa0ee512f79e2c33a3753c31c82de94448debadf79e2290

memory/4288-93-0x0000000070440000-0x000000007048C000-memory.dmp

memory/4288-94-0x0000000070650000-0x00000000709A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0bbf3ab4d96adfa83cb65d3517820745
SHA1 54c3a0ffb3c442f483d927af96aa67a3e3db36cc
SHA256 073895b3eb3fda6b3eed3c34d613cbb2eca3f7641ed7ee0213ad7ba77fa6eea3
SHA512 790feb81951e3c5f601734711327ba83156d774905e42494c103bd48d27c3ca55788122edbe05785bcb2264a4431814e32233e4e025ebdce7cc48c27ca151d2c

memory/564-113-0x0000000070440000-0x000000007048C000-memory.dmp

memory/564-114-0x0000000070650000-0x00000000709A7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 89335b6e9d6f149826edfd7f7c8a4d29
SHA1 22e15ef26ca3d25e465af79c3ecf87d395918a08
SHA256 9550e17964b5ad3dbcb0e386d1b9135eb0b071fe71ab85c5f5ae134d46360090
SHA512 deaecd1159d106849e80b669331c69d42a0cf8121a9409af504769c9343abc73153bf430ea6cbfb833eaf1374898939549e39712dec7b104a50f8fe6c9bcbb3d

memory/2208-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2664-132-0x0000000005BF0000-0x0000000005F47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 132d36ddb75a49ce5fe67c322a929ae3
SHA1 9e4fc6346401288019f4c791bb9af304a70c2fd7
SHA256 7157e02c426868cdd333f648cfc56beaae0afa354cd3b86f9a32d753ab048ea6
SHA512 2a722dedf550494265d478b7bc37224ec1cfb38a33dde2d471929ac650552ef0002aced56e27b644cabddfe41d9242aafbb722658ac8e00f4d1a5917a5dcf7c8

memory/2664-142-0x0000000070440000-0x000000007048C000-memory.dmp

memory/2664-143-0x0000000070690000-0x00000000709E7000-memory.dmp

memory/3608-159-0x0000000005B70000-0x0000000005EC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8b6f76f5a586fd26bbba84a7dd35edba
SHA1 8508ad6e459a6d9d78b676beba1ab6093e0b1bdc
SHA256 0ddd59f31d93bdd585ab203329d3c8e84df883c475702e1c566588060814aa27
SHA512 2cc0d683a89ac81fe6ef1d58e4c9b79c60234a94577972a58dfc37b37bf233e3c300a8c86b595ac5b96c9e8b9dcae5c0aa1c309bf95c80a9c73f2d63469f3677

memory/3608-164-0x0000000006340000-0x000000000638C000-memory.dmp

memory/3608-165-0x0000000070360000-0x00000000703AC000-memory.dmp

memory/3608-166-0x0000000070570000-0x00000000708C7000-memory.dmp

memory/3608-175-0x0000000007350000-0x00000000073F4000-memory.dmp

memory/3608-176-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/4792-177-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3608-178-0x0000000005F00000-0x0000000005F15000-memory.dmp

memory/4256-180-0x0000000005600000-0x0000000005957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3d5d1575f95d46a9a3e38bc65acfe094
SHA1 a46e39edc907296688866d0d6a564bbb1172a40a
SHA256 bce2f49e05fd7064d90f7ca8cd5108981b2476b9884f7a83c2e19236c5b84d09
SHA512 737336e70d9c34af19db524a10c86a0717f4ca30d53696a06e56c32f2883fd343c5ffdbfc810af1bb4a65549d3df1b32881db7a4f8b7d1d3f8c275c706656d40

memory/4256-190-0x0000000070360000-0x00000000703AC000-memory.dmp

memory/4256-191-0x00000000705B0000-0x0000000070907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4792-209-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/904-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/904-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4792-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4792-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4792-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4792-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4792-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4792-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4792-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4792-249-0x0000000000400000-0x0000000002B0B000-memory.dmp