Malware Analysis Report

2025-01-02 06:41

Sample ID 240515-wqgj7ada33
Target c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de
SHA256 c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de

Threat Level: Known bad

The file c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:07

Reported

2024-05-15 18:09

Platform

win10v2004-20240426-en

Max time kernel

9s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20b5e70d-d424-4a8b-944f-7b040720f351.uuid.datadumpcloud.org udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server9.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.104:443 server9.datadumpcloud.org tcp

Files

memory/852-1-0x0000000004890000-0x0000000004C8F000-memory.dmp

memory/852-2-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/852-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3968-4-0x000000007421E000-0x000000007421F000-memory.dmp

memory/3968-5-0x00000000050E0000-0x0000000005116000-memory.dmp

memory/3968-7-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/3968-6-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/3968-8-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/3968-9-0x0000000005E10000-0x0000000005E32000-memory.dmp

memory/3968-11-0x0000000006020000-0x0000000006086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42dxdgtg.bm0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3968-10-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/3968-21-0x00000000062A0000-0x00000000065F4000-memory.dmp

memory/3968-22-0x0000000006680000-0x000000000669E000-memory.dmp

memory/3968-23-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/3968-24-0x0000000006BE0000-0x0000000006C24000-memory.dmp

memory/3968-25-0x00000000079B0000-0x0000000007A26000-memory.dmp

memory/3968-27-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/3968-26-0x00000000080B0000-0x000000000872A000-memory.dmp

memory/3968-29-0x0000000007C10000-0x0000000007C42000-memory.dmp

memory/3968-30-0x00000000700B0000-0x00000000700FC000-memory.dmp

memory/3968-43-0x0000000007C70000-0x0000000007D13000-memory.dmp

memory/3968-42-0x0000000007C50000-0x0000000007C6E000-memory.dmp

memory/3968-45-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/852-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3968-44-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/3968-32-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/3968-31-0x0000000070230000-0x0000000070584000-memory.dmp

memory/3968-46-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/3968-47-0x0000000007D80000-0x0000000007D91000-memory.dmp

memory/3968-48-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/3968-49-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

memory/3968-50-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

memory/3968-51-0x0000000007E10000-0x0000000007E18000-memory.dmp

memory/3968-54-0x0000000074210000-0x00000000749C0000-memory.dmp

memory/852-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/852-58-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/852-55-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3192-68-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/3192-69-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/3192-71-0x0000000070330000-0x0000000070684000-memory.dmp

memory/3192-81-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/3192-70-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/3192-82-0x0000000007160000-0x0000000007171000-memory.dmp

memory/3192-83-0x00000000071B0000-0x00000000071C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0af6ef0dce7537b5511356a5f1eb982
SHA1 8dae04df0893cda741a55c6e6c86c3935a7f3b5e
SHA256 11def5e8b519dc2cd35039e332ccd660b2c89a6dd00c7325b80b6a23195bb45d
SHA512 26fce1119a097a9029877617cf43891b2a8218f8537bbd906aa634362cb25143bd8e06c7049ca760a03da56077fa5da85ca8a30bf947e8efcb5d0cc2fb1cf7e0

memory/1584-96-0x0000000006080000-0x00000000063D4000-memory.dmp

memory/1584-99-0x0000000070C00000-0x0000000070F54000-memory.dmp

memory/1584-98-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/2500-112-0x00000000059B0000-0x0000000005D04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fae20b6e7877ff9468a87fc51f5835ad
SHA1 b07817703227c27af07ecff7a45eed7ddc956100
SHA256 8dcf8fea469a5fe4855081ec88b4266ab216f89e4c89db61f655a79587e837e0
SHA512 923f8ec6d1f9be75da1952d84c7d9925d7bf77aa365dadc17b0f6123c5b477a46a7f82eaff3c6848073941c443282a62ad75fa9865970d2e1ad095e587e302d7

memory/2500-121-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/2500-122-0x0000000070950000-0x0000000070CA4000-memory.dmp

memory/3632-132-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 705fcc3d735a1f32bb12f0abf203dcca
SHA1 895c21f60ddf6d74103ab4c15f9d8358ea214f2e
SHA256 c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de
SHA512 33e31394e7fa694388d8b726671c5e12240e24001d0b165b116b2b5375531034eaecdc1681da833a00885ca0977a94e2500db12209af0f2a188fa2ff680a5290

memory/5112-144-0x0000000005DF0000-0x0000000006144000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb793a9e43aebf5e6f1312c845cb4f18
SHA1 67e149c588ddcd255becfb52003ab2e69fe29bb3
SHA256 b537fb059c48e08f11f7fd746fefb0a483d61511101041e41a66fc539c245ab7
SHA512 34552e8137977e0589e904e7ff71f8a7920d2902e1842b8483bbd47ef6e593e4da6031cb22ae3bb85496e49880b813ebf6346e1cb79374aefcc90b98bd0cc6b8

memory/5112-150-0x0000000006940000-0x000000000698C000-memory.dmp

memory/5112-151-0x0000000070110000-0x000000007015C000-memory.dmp

memory/5112-152-0x00000000708D0000-0x0000000070C24000-memory.dmp

memory/5112-162-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/5112-163-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/5112-164-0x0000000006280000-0x0000000006294000-memory.dmp

memory/2824-172-0x0000000005BD0000-0x0000000005F24000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1ae041e8a3a8541c087dc56d9ff0b04
SHA1 39874047613645ec60c5675ae66ddb2bea1edc8f
SHA256 81dbd481c95d7bfe3b29c4c89101bd79bda68a96d7eca355dda287d2d388b7d9
SHA512 8d5508958e58d20d4b68da0b2297dc1939f69e93524a757b780f8625cf3616b245bb0229a0ec8b3707fabccdb58929f459c733c0e0a14fd90d3a3baab716f726

memory/2824-177-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/2824-178-0x0000000070030000-0x000000007007C000-memory.dmp

memory/2824-179-0x00000000707D0000-0x0000000070B24000-memory.dmp

memory/2824-189-0x0000000007520000-0x00000000075C3000-memory.dmp

memory/2824-190-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/2824-191-0x00000000060B0000-0x00000000060C4000-memory.dmp

memory/4940-202-0x0000000005A80000-0x0000000005DD4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1a349d5e9cae4b49524988e42846d88a
SHA1 a76ad48a9db31de260aa8159fb737160e1068ba5
SHA256 a6522ec99a8df8a412cdaaa43b6d4fe319654acf6c5a820815e689e45f5b354b
SHA512 19f39add706aaa05afb5242dcb7be88006b1642c945872369638714fd10ef5f936400ca3587c82bf6501d68606170bbbcd6138f88a4bd714614faae02f3eb017

memory/3632-203-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4940-206-0x00000000701E0000-0x0000000070534000-memory.dmp

memory/4940-205-0x0000000070030000-0x000000007007C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1508-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1824-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1824-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2680-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1508-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2680-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1508-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2680-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1508-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-258-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1508-261-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:07

Reported

2024-05-15 18:09

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\system32\cmd.exe
PID 328 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 328 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\rss\csrss.exe
PID 328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\rss\csrss.exe
PID 328 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe C:\Windows\rss\csrss.exe
PID 2124 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3884 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1664 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 940 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 3024 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2124 wrote to memory of 3024 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 684 wrote to memory of 2720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2720 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2720 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2720 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe

"C:\Users\Admin\AppData\Local\Temp\c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 d609c722-45c2-4f4a-9081-63369542fc35.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server11.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp

Files

memory/3152-1-0x0000000004950000-0x0000000004D49000-memory.dmp

memory/3152-2-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/3152-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2108-4-0x000000007489E000-0x000000007489F000-memory.dmp

memory/2108-5-0x0000000002D00000-0x0000000002D36000-memory.dmp

memory/2108-6-0x00000000057A0000-0x0000000005DCA000-memory.dmp

memory/2108-7-0x0000000074890000-0x0000000075041000-memory.dmp

memory/2108-11-0x0000000074890000-0x0000000075041000-memory.dmp

memory/2108-10-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/2108-9-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/2108-8-0x00000000056D0000-0x00000000056F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwcxtbb0.tvo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2108-21-0x0000000006020000-0x0000000006377000-memory.dmp

memory/2108-22-0x0000000006520000-0x000000000653E000-memory.dmp

memory/2108-23-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3152-12-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2108-24-0x0000000006AC0000-0x0000000006B06000-memory.dmp

memory/2108-26-0x0000000070B00000-0x0000000070B4C000-memory.dmp

memory/2108-25-0x0000000007940000-0x0000000007974000-memory.dmp

memory/2108-27-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/2108-36-0x0000000007980000-0x000000000799E000-memory.dmp

memory/2108-37-0x00000000079A0000-0x0000000007A44000-memory.dmp

memory/2108-38-0x0000000074890000-0x0000000075041000-memory.dmp

memory/2108-40-0x0000000008110000-0x000000000878A000-memory.dmp

memory/2108-39-0x0000000074890000-0x0000000075041000-memory.dmp

memory/2108-41-0x00000000053A0000-0x00000000053BA000-memory.dmp

memory/2108-42-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/2108-43-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/2108-44-0x0000000007B60000-0x0000000007B71000-memory.dmp

memory/2108-45-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

memory/2108-46-0x0000000007BB0000-0x0000000007BC5000-memory.dmp

memory/2108-47-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/2108-48-0x0000000007C20000-0x0000000007C28000-memory.dmp

memory/2108-51-0x0000000074890000-0x0000000075041000-memory.dmp

memory/3152-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3152-55-0x0000000004D50000-0x000000000563B000-memory.dmp

memory/3152-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4904-64-0x0000000005D50000-0x00000000060A7000-memory.dmp

memory/4904-65-0x0000000006800000-0x000000000684C000-memory.dmp

memory/4904-66-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/4904-67-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/4904-76-0x00000000074C0000-0x0000000007564000-memory.dmp

memory/4904-77-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/4904-78-0x0000000007820000-0x0000000007835000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2888-82-0x0000000005980000-0x0000000005CD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1cb60cd5182800bdca392af8de2647ef
SHA1 23f0cb85ffdccb8d6e8491fb285ffbc190605ece
SHA256 4abcabcce16e20d2760b48836487067d71fae7a0f59f7e4decd36de9bbc46235
SHA512 d0bb6ac95a9d9eade9530308ee8cf49993d0f6b475040cd18ca18c0156bca95c1f8b721cbf8c82046a912af0212a82533af53a9814d92df56ae798307e0110d4

memory/2888-92-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/2888-93-0x0000000070E60000-0x00000000711B7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 24977d2f5207a1f1ff50534cbebcfdd9
SHA1 1431b69f39e6f339f5200d26015b5b612741b759
SHA256 4d3739afcd16dd4c99c225137e9ff23eec48f00075c725db3aa3cdd564f9ccc4
SHA512 c5811036d06cf03499905cb7b1edd73b4741fad4b4f866165b22310334c6efb0fa1c598421495e638328811c6f6f5ecdd6ffad51f6af26064b8bb6999ccb0d38

memory/680-112-0x0000000070C10000-0x0000000070C5C000-memory.dmp

memory/680-113-0x0000000070D90000-0x00000000710E7000-memory.dmp

memory/328-122-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 705fcc3d735a1f32bb12f0abf203dcca
SHA1 895c21f60ddf6d74103ab4c15f9d8358ea214f2e
SHA256 c0433272f242b18d9c310f5083db58176d4908c3de637142210426409bcbc7de
SHA512 33e31394e7fa694388d8b726671c5e12240e24001d0b165b116b2b5375531034eaecdc1681da833a00885ca0977a94e2500db12209af0f2a188fa2ff680a5290

memory/328-129-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3884-138-0x0000000006330000-0x0000000006687000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 965f3a54b9568f4625f9e729756294e0
SHA1 eb08e60fc9ebdac80ea2ffd94131d7cf1bad396f
SHA256 7ba0f802c67db52930c145892704ba62f3c20f87ad959505c61a75bcc77b013a
SHA512 d499ccaee5477349aa4aee72803f69786062bdaadb7ed0a9a6f7d0d05385d4d409c77962ea6077760f4c6aaa2b4da7e752d713600c5d1cabc40135f22b652249

memory/3884-140-0x0000000006930000-0x000000000697C000-memory.dmp

memory/3884-141-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/3884-142-0x0000000070CF0000-0x0000000071047000-memory.dmp

memory/3884-151-0x0000000007B30000-0x0000000007BD4000-memory.dmp

memory/3884-152-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/3884-153-0x00000000066B0000-0x00000000066C5000-memory.dmp

memory/1664-156-0x0000000005CB0000-0x0000000006007000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7eeaf7f435eb1d2cc653d2a9396344b
SHA1 56dc33ee9f12a8b1941cf60659cb2d220a20d11c
SHA256 95f42aa3ad4417c3820d2d98a2a4cd4876e1e331ff9873d07679584c5b71f4b4
SHA512 949fd43f710956b70769339ffc17b0824f965a43863d86f94eb4756a274ce087dc69c43f08d9cc03aaf2ff2cc4fba8296a52bc672f1b4933ea1a7ba22e9b114b

memory/1664-166-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/1664-167-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/1664-168-0x0000000070CE0000-0x0000000071037000-memory.dmp

memory/1664-177-0x0000000007460000-0x0000000007504000-memory.dmp

memory/1664-178-0x00000000077C0000-0x00000000077D1000-memory.dmp

memory/1664-179-0x0000000006030000-0x0000000006045000-memory.dmp

memory/2124-180-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/940-190-0x00000000059D0000-0x0000000005D27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 347f52dc58720bfe458d47c01afd9d58
SHA1 4bbf543d357c0f07625b05b660ae3400721fd0e5
SHA256 e2ff7e44b7fd512e4ad4328b05eefd2eb3c0f4976a5bca63521029b80adefea7
SHA512 bf7a089322036b545c35bff32a57d4ccc7306958548122b4bd42cbf321e848b8184a92ba2beb499e40de62361d798d4b1be8f6116b58d3cdb02dad5aae0b3600

memory/940-192-0x0000000070A90000-0x0000000070ADC000-memory.dmp

memory/940-193-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2124-209-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/684-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/684-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3000-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2124-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3000-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2124-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2124-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3000-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2124-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2124-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2124-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2124-237-0x0000000000400000-0x0000000002B0B000-memory.dmp