Malware Analysis Report

2025-01-02 06:33

Sample ID 240515-xv4e7aff84
Target 97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394
SHA256 97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394

Threat Level: Known bad

The file 97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\system32\cmd.exe
PID 4116 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2072 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4116 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\rss\csrss.exe
PID 4116 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\rss\csrss.exe
PID 4116 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe C:\Windows\rss\csrss.exe
PID 3984 wrote to memory of 3636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 3636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 3636 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2916 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4932 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4588 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3984 wrote to memory of 4588 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4292 wrote to memory of 1692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 1692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 1692 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1692 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1692 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
BE 2.17.196.152:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 152.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 3b19e8a6-94e8-4001-8d7e-534e35f1ac0e.uuid.localstats.org udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.localstats.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server3.localstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server3.localstats.org tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4656-1-0x00000000047D0000-0x0000000004BD1000-memory.dmp

memory/4656-2-0x0000000004BE0000-0x00000000054CB000-memory.dmp

memory/4656-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5004-5-0x0000000003130000-0x0000000003166000-memory.dmp

memory/5004-6-0x000000007430E000-0x000000007430F000-memory.dmp

memory/5004-7-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/4656-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5004-8-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/5004-9-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/5004-10-0x0000000005750000-0x0000000005772000-memory.dmp

memory/5004-11-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/5004-12-0x00000000060B0000-0x0000000006116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ocmabok5.qql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5004-22-0x0000000006120000-0x0000000006474000-memory.dmp

memory/5004-23-0x0000000006720000-0x000000000673E000-memory.dmp

memory/5004-24-0x0000000006770000-0x00000000067BC000-memory.dmp

memory/5004-25-0x0000000006C80000-0x0000000006CC4000-memory.dmp

memory/5004-26-0x0000000007A30000-0x0000000007AA6000-memory.dmp

memory/5004-27-0x0000000008130000-0x00000000087AA000-memory.dmp

memory/5004-28-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/5004-29-0x0000000007CA0000-0x0000000007CD2000-memory.dmp

memory/5004-30-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/5004-32-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/5004-31-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/5004-42-0x0000000007CE0000-0x0000000007CFE000-memory.dmp

memory/5004-44-0x0000000007D00000-0x0000000007DA3000-memory.dmp

memory/5004-43-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/5004-45-0x0000000007DF0000-0x0000000007DFA000-memory.dmp

memory/5004-46-0x0000000007EB0000-0x0000000007F46000-memory.dmp

memory/5004-47-0x0000000007E10000-0x0000000007E21000-memory.dmp

memory/5004-48-0x0000000007E50000-0x0000000007E5E000-memory.dmp

memory/5004-49-0x0000000007E60000-0x0000000007E74000-memory.dmp

memory/5004-50-0x0000000007F50000-0x0000000007F6A000-memory.dmp

memory/5004-51-0x0000000007EA0000-0x0000000007EA8000-memory.dmp

memory/5004-54-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/4656-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4656-57-0x00000000047D0000-0x0000000004BD1000-memory.dmp

memory/4656-58-0x0000000004BE0000-0x00000000054CB000-memory.dmp

memory/3832-68-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/3832-69-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/3832-79-0x0000000007800000-0x00000000078A3000-memory.dmp

memory/4656-81-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4116-80-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3832-82-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/3832-83-0x0000000007D60000-0x0000000007D74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e817703bd93c5ae534c13b1af8657bb1
SHA1 6c22f67e0461ea8b6e3e0a94ec9106615966ed76
SHA256 3f198ed06db791122a09f6428dfed9fdee0dd2c9dd33cd0d805dfa84fc1b887e
SHA512 667bd3ec1576cba874a2a91e00f2aadc12f2a317984a9b228e658aaf851300962e7e606bf3155424b66d572b6727b9d581061aa4431a98e5eb6e4aa4003fea34

memory/2972-98-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/2972-99-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/1948-119-0x00000000056A0000-0x00000000059F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3370347c997e5c41267639c574b334ba
SHA1 2dd367e74e3b72879a8b4fc6572c0c9621827232
SHA256 cb153366720082944f3ec2761ae61568fa0e0375a8d318c6b4847af7f5a655bd
SHA512 1b0921055329a6ed57e504a85bdaaf483372137be1b2fe31828c1f832ea18b21f950a44eac616c13eb484745cd60e19f4394736af3e3025187bc01702b4c6fdf

memory/1948-121-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/1948-122-0x0000000070320000-0x0000000070674000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9caa03dea74e5bf8837dc8e9c8fcb463
SHA1 77a71cbc15a6a090d7d260409d09eecbbc980d5b
SHA256 97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394
SHA512 b47d3331ddc1a7614db41e6cc80891e063537923ea0c73415fae0c14ecdd98f402996f6662a0d9ed43b73108f7ffc35195bc489055f7418a66fd60483d582986

memory/4116-136-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 237ac6c5863fe7f4f01d186ddccf4796
SHA1 a2be37445b69fddbedb6e085ec4c3eff475438c9
SHA256 a9f56bb924eaca4366de45352557a55daa636849d820644e5298f18068e02a3c
SHA512 493b047f088e05fede587648b0eb02fe861cca511077d9a322b171a434617132dbb607aff91b677f6ffc9e53eba03ad885de75b88fb1a8ba90fd6937168ec083

memory/3984-150-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3636-151-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/3636-152-0x0000000070320000-0x0000000070674000-memory.dmp

memory/2916-170-0x00000000056C0000-0x0000000005A14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ddc6ca65123c9cad8965ddfbccd833c7
SHA1 31157336e74ced42c91cbae438668e33f5d6060f
SHA256 d6c9d61f9fe55608dd9183253e758c8a455439d62ebd75560866e866a25be2d5
SHA512 dc017c29c59f68b68293b84d5236f725ea0f4d57f84a03d6cf8689533bf36b312850ae8a4893320c53474f09ab509480e60515e464e7155c0f06f4cfb69f2e56

memory/2916-175-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/2916-176-0x00000000700C0000-0x000000007010C000-memory.dmp

memory/2916-177-0x00000000704A0000-0x00000000707F4000-memory.dmp

memory/2916-187-0x0000000006FD0000-0x0000000007073000-memory.dmp

memory/2916-188-0x0000000007310000-0x0000000007321000-memory.dmp

memory/2916-189-0x0000000005B60000-0x0000000005B74000-memory.dmp

memory/4932-200-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 754abfc0fc749b42bc857db9f21cd55c
SHA1 b1242f8ae49d7416ad0cd9aa7669a1fd1c75a97d
SHA256 2421901c46b3416aeee4b2de5a02fae5d3b95bbcc3cf71bed8748c208a913b43
SHA512 558b9be6f9e72ab29b5476c365ecc2eee755851d474e0d3c19f6589a522973d13a5d48b8b62be596bff63d95ae76f67fac418e3cf56e4faf4fe6375742ccfc6a

memory/4932-202-0x00000000700C0000-0x000000007010C000-memory.dmp

memory/4932-203-0x0000000070260000-0x00000000705B4000-memory.dmp

memory/3984-213-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3984-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4292-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4292-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3984-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4136-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3984-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3984-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4136-238-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3984-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3984-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3984-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3984-248-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3984-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win11-20240426-en

Max time kernel

10s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe

"C:\Users\Admin\AppData\Local\Temp\97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 15ec91f7-80da-4a56-b800-ca6e7f60f1a9.uuid.localstats.org udp
US 8.8.8.8:53 server14.localstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server14.localstats.org tcp
US 74.125.250.129:19302 stun3.l.google.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server14.localstats.org tcp
US 52.111.227.11:443 tcp
BG 185.82.216.111:443 server14.localstats.org tcp

Files

memory/1696-1-0x0000000004AB0000-0x0000000004EB6000-memory.dmp

memory/1696-2-0x0000000004EC0000-0x00000000057AB000-memory.dmp

memory/1696-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3936-4-0x000000007449E000-0x000000007449F000-memory.dmp

memory/3936-5-0x0000000004E10000-0x0000000004E46000-memory.dmp

memory/3936-6-0x00000000055C0000-0x0000000005BEA000-memory.dmp

memory/3936-7-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/3936-8-0x0000000005520000-0x0000000005542000-memory.dmp

memory/3936-10-0x0000000005D60000-0x0000000005DC6000-memory.dmp

memory/3936-9-0x0000000005CF0000-0x0000000005D56000-memory.dmp

memory/3936-11-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/3936-20-0x0000000005DD0000-0x0000000006127000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eaymyxhq.ck1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3936-21-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/3936-22-0x0000000006300000-0x000000000634C000-memory.dmp

memory/3936-23-0x0000000006840000-0x0000000006886000-memory.dmp

memory/3936-24-0x0000000007700000-0x0000000007734000-memory.dmp

memory/3936-25-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3936-27-0x0000000070910000-0x0000000070C67000-memory.dmp

memory/3936-26-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/3936-37-0x0000000007760000-0x0000000007804000-memory.dmp

memory/3936-36-0x0000000007740000-0x000000000775E000-memory.dmp

memory/3936-38-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/3936-40-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/3936-39-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/3936-41-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/3936-42-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/3936-43-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/3936-44-0x0000000007940000-0x000000000794E000-memory.dmp

memory/3936-45-0x0000000007950000-0x0000000007965000-memory.dmp

memory/3936-46-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/3936-47-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/3936-50-0x0000000074490000-0x0000000074C41000-memory.dmp

memory/1696-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1696-53-0x0000000004AB0000-0x0000000004EB6000-memory.dmp

memory/1696-54-0x0000000004EC0000-0x00000000057AB000-memory.dmp

memory/4380-63-0x0000000005580000-0x00000000058D7000-memory.dmp

memory/4380-64-0x0000000070700000-0x000000007074C000-memory.dmp

memory/4380-74-0x0000000006CE0000-0x0000000006D84000-memory.dmp

memory/4380-65-0x0000000070880000-0x0000000070BD7000-memory.dmp

memory/4380-75-0x0000000007010000-0x0000000007021000-memory.dmp

memory/4380-76-0x0000000007060000-0x0000000007075000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/744-88-0x0000000005780000-0x0000000005AD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50ce5ceb6a3f06826cda1d4d61c3815a
SHA1 bc1a74ac90d370935ef40a2a286d099ba34b9369
SHA256 af946586d9eb4c60a1e50c1620f2418f8ab463dafa8e19651a8fb329c97f566a
SHA512 72100fd3f8691759ff7348754b94d5cbf891ef17a6c667bc3900863c1f5756e40bd033e4c66f01fad9afd760e81e76e0e8e822c504411c5f0487369fa149dfd6

memory/744-90-0x0000000070700000-0x000000007074C000-memory.dmp

memory/744-91-0x00000000710D0000-0x0000000071427000-memory.dmp

memory/1696-102-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2448-101-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 087b51e1e0db04f96811495155691345
SHA1 f4e3c3b9b9584fa5679ee34ea61ab589e1fc845f
SHA256 459bb9c16a209789da5ea18b8d644c02542d6b50e2a0946311577e526c61ed7b
SHA512 f2801e3aa699d1db4acc2a7915d3d8912254e0a32f4f87f4b41a580ea5b7bd93e1d2e9ae2ccfcc462cdaddebc7b0a33b020af4b4b18b84e52a7f14715708965a

memory/2716-113-0x0000000070700000-0x000000007074C000-memory.dmp

memory/2716-114-0x0000000070880000-0x0000000070BD7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9caa03dea74e5bf8837dc8e9c8fcb463
SHA1 77a71cbc15a6a090d7d260409d09eecbbc980d5b
SHA256 97ea96520a58d340a465d76dec5004d709582273d07a4f5eb529993db2bb5394
SHA512 b47d3331ddc1a7614db41e6cc80891e063537923ea0c73415fae0c14ecdd98f402996f6662a0d9ed43b73108f7ffc35195bc489055f7418a66fd60483d582986

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce0b8c9a33b0780fa663bf34de2e9330
SHA1 5d9db9faa3ab563b0152bd6f23dadf5b3837053e
SHA256 4c5329bd8bd7c146a009adcc73d2d6b51983d38eb3b9036cebc2efb2f5e6a197
SHA512 cea36bba3d3fe0ae79f7109aa2d3593dbbfee06e8db3f3db8c8809a93dc0e2db93c3dfd675f40dd8895fbd426eb414781d344e0a60484da6eec8faa63f65eafc

memory/3968-138-0x0000000070700000-0x000000007074C000-memory.dmp

memory/3968-139-0x0000000070880000-0x0000000070BD7000-memory.dmp

memory/3108-157-0x0000000005DD0000-0x0000000006127000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ee66330b51d5c7a294c011a58d4f9cc6
SHA1 278a0513ea0ecbcfbe26383badbc5d5ecca9aace
SHA256 21f13041e115ed89b8c2f878c65efaf9a5ddd6d47953bbb36c8d18bd38cc8691
SHA512 56ab61a0045035f4fbb914e18e0030f0ce222f249451b4742951cdc10eb58ae61c51f35b3594484faf274d9528afadc9f8fca6d82d92468e5fb7316717c4362a

memory/3108-161-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/2448-160-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3108-162-0x0000000070620000-0x000000007066C000-memory.dmp

memory/3108-172-0x00000000075F0000-0x0000000007694000-memory.dmp

memory/3108-163-0x00000000707C0000-0x0000000070B17000-memory.dmp

memory/3108-173-0x0000000007920000-0x0000000007931000-memory.dmp

memory/3108-174-0x0000000006170000-0x0000000006185000-memory.dmp

memory/4992-184-0x00000000058B0000-0x0000000005C07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f01ebdb9e29aa904997ec17cab6b8f40
SHA1 2cfb83ae324cbf31810c975bf2834971c5c3bc02
SHA256 5b25a92374c044acedd430bc71b25f812cd88aa6fa794e3dedc03970d1967c1a
SHA512 4497d11997d97b8a9dfe26129c72a0c3915a9cf0af9866082dd14961780413b80ace96f7c2c4ba52fe97bcb4553f6d24b9a6e6c6e62a30a86467e94f896656b1

memory/4992-187-0x00000000707D0000-0x0000000070B27000-memory.dmp

memory/4992-186-0x0000000070620000-0x000000007066C000-memory.dmp

memory/1580-196-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4748-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1580-208-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3752-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4748-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3752-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1580-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3752-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1580-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-245-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1580-253-0x0000000000400000-0x0000000002B0B000-memory.dmp