Malware Analysis Report

2025-01-02 06:30

Sample ID 240515-xv9xzaff89
Target e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be
SHA256 e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be
Tags
glupteba discovery dropper evasion execution loader persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be

Threat Level: Known bad

The file e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win10v2004-20240426-en

Max time kernel

31s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2684 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4440 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 4440 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 4440 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 4520 wrote to memory of 3744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 3744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 3744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 3104 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
BE 2.17.196.129:443 www.bing.com tcp
US 8.8.8.8:53 129.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 a60a3aba-7081-4d66-b2da-615916cb495e.uuid.myfastupdate.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server2.myfastupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
BG 185.82.216.111:443 server2.myfastupdate.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4300-1-0x00000000047C0000-0x0000000004BC8000-memory.dmp

memory/4300-2-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/4300-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/4364-5-0x00000000029B0000-0x00000000029E6000-memory.dmp

memory/4364-6-0x0000000005220000-0x0000000005848000-memory.dmp

memory/4364-7-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4364-8-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4364-9-0x00000000050D0000-0x00000000050F2000-memory.dmp

memory/4364-11-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/4364-10-0x0000000005170000-0x00000000051D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjxgygd5.cau.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4364-21-0x0000000005AB0000-0x0000000005E04000-memory.dmp

memory/4364-22-0x0000000005F90000-0x0000000005FAE000-memory.dmp

memory/4364-23-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/4364-24-0x00000000064F0000-0x0000000006534000-memory.dmp

memory/4364-25-0x00000000072A0000-0x0000000007316000-memory.dmp

memory/4364-26-0x00000000079A0000-0x000000000801A000-memory.dmp

memory/4364-27-0x0000000007350000-0x000000000736A000-memory.dmp

memory/4364-42-0x0000000007570000-0x0000000007613000-memory.dmp

memory/4364-41-0x0000000007550000-0x000000000756E000-memory.dmp

memory/4364-44-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4300-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4364-45-0x0000000007660000-0x000000000766A000-memory.dmp

memory/4364-46-0x0000000007720000-0x00000000077B6000-memory.dmp

memory/4364-43-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4364-31-0x00000000706E0000-0x0000000070A34000-memory.dmp

memory/4364-47-0x0000000007680000-0x0000000007691000-memory.dmp

memory/4364-30-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/4364-29-0x0000000007510000-0x0000000007542000-memory.dmp

memory/4364-48-0x00000000076C0000-0x00000000076CE000-memory.dmp

memory/4364-49-0x00000000076D0000-0x00000000076E4000-memory.dmp

memory/4364-50-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/4364-51-0x0000000007710000-0x0000000007718000-memory.dmp

memory/4364-54-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4220-65-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/4300-66-0x00000000047C0000-0x0000000004BC8000-memory.dmp

memory/4300-67-0x0000000004BD0000-0x00000000054BB000-memory.dmp

memory/4220-68-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/4220-79-0x0000000006F30000-0x0000000006FD3000-memory.dmp

memory/4220-69-0x0000000070700000-0x0000000070A54000-memory.dmp

memory/4220-80-0x0000000007240000-0x0000000007251000-memory.dmp

memory/4220-81-0x0000000007290000-0x00000000072A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5024-94-0x0000000005870000-0x0000000005BC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d34dd5c4b18264f1c7be52c77da6f13c
SHA1 0c8df5642a900be96767287e4d7edf8eae07d945
SHA256 60e718f106651df66a24b22e7d6297298ef3aa011f54c4cee0a399a9427281bc
SHA512 1212dcc3bd35c1bc9c3f63a9929d5e8f2723138c083e6cc4de473c42da9ef1f823a8630c7b6739065db6385a7fae94e800ef635d69d2e5cf897e223663cba1bb

memory/4300-96-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5024-98-0x0000000070B30000-0x0000000070E84000-memory.dmp

memory/5024-97-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/4056-118-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f4648855eccc0b76025d8a75d614589a
SHA1 0c4446b987b3e7e56bbe5250f1ea3ff95207788c
SHA256 8a273ca22f567e4e3e73ef1f0019e7764d9f8c3b547d9f5ac9476c7ec2bea1e5
SHA512 c19faca2cc38dff0aa26977cae38eea2d2b96c4b3774a1fd91fdbb714b525508d5686433d15d796fb94c5c1451e6ed2cce41b6975dbb236e5c93b122ea252df2

memory/4056-121-0x0000000070D00000-0x0000000071054000-memory.dmp

memory/4056-120-0x0000000070560000-0x00000000705AC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f9917dd546b688c21eaf54dde0f747ae
SHA1 ec1fb3af1b4f86a2d52b0dce9efa80aedd26b4d5
SHA256 e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be
SHA512 28347d23a96b5dd43867b54f4955d8f2ca2f499a49f4526097338778128940601ca41e4242d36bc89c2307fdfd928bc03e841a8efbd9f8e4a358dcd149303504

memory/4300-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4440-137-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 85b37553905737526d43a3a2f7f067bf
SHA1 936a5a9404326bb89090bacf7c125ab7234612e7
SHA256 6c0c45f7f72fa899d22fbf3cbeb4a7b3474b0592eebdb54f410e6487e1c633e1
SHA512 56bab9f575182ca9203e57155c619aae3e85aff5cb41f148b43d0df548f79c8760aea34f9e22e17d438d4a0e17fafa6ab4f428267f95663e1b83f81dedba1283

memory/3744-144-0x0000000005DB0000-0x0000000006104000-memory.dmp

memory/3744-150-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/3744-151-0x0000000070CE0000-0x0000000071034000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ecd297e650d8952708c88880a3cdb8e
SHA1 e8aff4b86ebc934716ffd54ad09cf473107c6417
SHA256 e7ad1865cfbe0bbd931bbf5eb1bc2e84d0028a51e06720b1f6f9dbb327158b19
SHA512 b3efb1ec902b87c8e5bf7d7b7da50f38b57b9f823e716146aa6bb61a7752a867a5371f824603e4c6498b1130eda4be273ed5fc1b4bf4e070cc6efc8de3f7fd61

memory/3104-171-0x0000000005740000-0x0000000005A94000-memory.dmp

memory/3104-173-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/3104-175-0x0000000070600000-0x0000000070954000-memory.dmp

memory/3104-174-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/3104-185-0x0000000006E00000-0x0000000006EA3000-memory.dmp

memory/3104-187-0x0000000007180000-0x0000000007191000-memory.dmp

memory/3104-188-0x00000000055E0000-0x00000000055F4000-memory.dmp

memory/4512-199-0x0000000005E20000-0x0000000006174000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b90d111449003aa5a1fb6285802db986
SHA1 b2d037fab7184ade81301b72e2ee243ae611d8ba
SHA256 e95274ad5bd56a9ad0055e31612ac8de45749819da67952e6a97b75727646a30
SHA512 19c9b4dd38a019b94125e877a2fea2d00614a7310efdb33a966992152d423baa4d70a17f2e3560ae694781ca37976b3194cd238db15ffece91cf5184af6957f3

memory/4512-202-0x0000000070C30000-0x0000000070F84000-memory.dmp

memory/4512-201-0x0000000070480000-0x00000000704CC000-memory.dmp

memory/4520-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2928-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4824-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2928-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4520-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4824-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4520-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4824-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4520-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-250-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-258-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-263-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-267-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4520-270-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:11

Reported

2024-05-15 19:14

Platform

win11-20240426-en

Max time kernel

66s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3704 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3704 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 916 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3172 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe C:\Windows\rss\csrss.exe
PID 392 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 756 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 4968 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 392 wrote to memory of 5024 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4172 -ip 4172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1916

C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe

"C:\Users\Admin\AppData\Local\Temp\e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cbc63f8b-2c1e-464d-9462-57d639edef83.uuid.myfastupdate.org udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp
BG 185.82.216.111:443 server11.myfastupdate.org tcp

Files

memory/3704-1-0x00000000048F0000-0x0000000004CF7000-memory.dmp

memory/3704-2-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/3704-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4172-5-0x0000000002E30000-0x0000000002E66000-memory.dmp

memory/4172-6-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

memory/4172-7-0x0000000005860000-0x0000000005E8A000-memory.dmp

memory/4172-8-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/4172-9-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/4172-10-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

memory/3704-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4172-11-0x0000000006090000-0x00000000060F6000-memory.dmp

memory/4172-12-0x0000000006170000-0x00000000061D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2l1fnr0.vx3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-21-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/4172-22-0x0000000006650000-0x000000000666E000-memory.dmp

memory/4172-23-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/4172-24-0x0000000007630000-0x0000000007676000-memory.dmp

memory/4172-26-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/4172-25-0x0000000007A80000-0x0000000007AB4000-memory.dmp

memory/4172-28-0x0000000070330000-0x0000000070687000-memory.dmp

memory/4172-27-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/4172-37-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

memory/4172-38-0x0000000007AE0000-0x0000000007B84000-memory.dmp

memory/4172-40-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/4172-39-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/4172-41-0x0000000007C50000-0x0000000007C5A000-memory.dmp

memory/4172-42-0x0000000073F40000-0x00000000746F1000-memory.dmp

memory/3704-45-0x00000000048F0000-0x0000000004CF7000-memory.dmp

memory/3704-44-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3704-46-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/1892-55-0x0000000006470000-0x00000000067C7000-memory.dmp

memory/1892-56-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/1892-57-0x0000000070350000-0x00000000706A7000-memory.dmp

memory/1892-66-0x0000000007BB0000-0x0000000007C54000-memory.dmp

memory/1892-67-0x0000000007FB0000-0x0000000008046000-memory.dmp

memory/1892-68-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/1892-69-0x0000000007F10000-0x0000000007F1E000-memory.dmp

memory/1892-70-0x0000000007F20000-0x0000000007F35000-memory.dmp

memory/1892-71-0x0000000007F60000-0x0000000007F7A000-memory.dmp

memory/1892-72-0x0000000007F80000-0x0000000007F88000-memory.dmp

memory/3704-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/3092-82-0x00000000062B0000-0x0000000006607000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efa5d152fdadea8dd432329e41aa9500
SHA1 9755cfbc09ec0c0e655d0a0e0e58665a4aafa47a
SHA256 7e0a14b659048e0dcb99c1e5509c48f1d5b885b6d529524369e94614f244a1ca
SHA512 131f878e8bf85494287e94408a1f532eb925828cb8853cbeae82680662875754ba9459c5156b8c3ea068bab18270daa20d12840d89580e34dbf329a68271810f

memory/3092-87-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/3092-88-0x00000000703C0000-0x0000000070717000-memory.dmp

memory/2320-99-0x0000000005AF0000-0x0000000005E47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d0532fa7fd96ae9aec378797597afb47
SHA1 ff370f63ab1bca3e68ae323d9ad21f3c813cf529
SHA256 dea0fa0b772e8c6d199da3e4466355aa62cef5f28e2b1f30850a88e0ccc05659
SHA512 0c7deedfc7253d4339b2a11eb61068c9302fb0421c05d00c2aede2c9ed0e4184d713ec410e4ab95baca0007c494fbc1283ae096d05d329ec879bd1956bbde1b7

memory/2320-109-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/2320-110-0x0000000070400000-0x0000000070757000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f9917dd546b688c21eaf54dde0f747ae
SHA1 ec1fb3af1b4f86a2d52b0dce9efa80aedd26b4d5
SHA256 e74135b0bdd143511220e77661fcf3800ed215405bb71a255f8b95535a0239be
SHA512 28347d23a96b5dd43867b54f4955d8f2ca2f499a49f4526097338778128940601ca41e4242d36bc89c2307fdfd928bc03e841a8efbd9f8e4a358dcd149303504

memory/3172-123-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/756-128-0x00000000055D0000-0x0000000005927000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2dda4883afda2d378afb936ce2f9007
SHA1 a075b1fec0f77ca57b1f5c04ccc8b7d210faddbc
SHA256 65fdaf27a0b93bd4eacd45e5c04fdcb4cf9acdc3c0a63b119cdfbd487e97ba64
SHA512 36ebe838a804e0eb1806e697341998d65bea569b93631bc83c99ea520a1f361f793c32832105116ae12fc7ace6a69597289014d65a02538dc3d876b38c952803

memory/756-138-0x00000000701B0000-0x00000000701FC000-memory.dmp

memory/756-139-0x0000000070420000-0x0000000070777000-memory.dmp

memory/4968-155-0x0000000005AE0000-0x0000000005E37000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ba43e769ffc97abe1cc8c0aef3a2a12
SHA1 a83e48c6aa5280f3da63b11a67a1de7f5f2a7645
SHA256 e85135f53a1ae4bdb96f56f3b67585b641ecc57cfbf3c51e25a49e66571c69d8
SHA512 187e3b1dcb922af95d451bf90814760edde45d05a19e79a6f3380dafc5bf5155c6c9ca29b9e84468c6188d1ab791c1f35b890781d60faa6e6bdcb409a96f2eda

memory/4968-160-0x0000000006630000-0x000000000667C000-memory.dmp

memory/4968-161-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/4968-162-0x00000000702E0000-0x0000000070637000-memory.dmp

memory/4968-171-0x0000000007320000-0x00000000073C4000-memory.dmp

memory/4968-172-0x00000000076A0000-0x00000000076B1000-memory.dmp

memory/4968-173-0x0000000005EF0000-0x0000000005F05000-memory.dmp

memory/5024-183-0x0000000005980000-0x0000000005CD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 078051ba4f44d007c375160f620c8b4d
SHA1 352c595d778b921ef6884b468e4745ed78ae5245
SHA256 7cd9b9e7aa7cbed3c021ded87503f4fa92eb96f6565c5e5e8258cad11bc958b3
SHA512 005401dc38cac880f7075649f771d2e15c9badf4f329cef539c1c042d75b15b01545268d948514e928f4713ff5c45aff972b15b04adeaceead5098e2122a79ab

memory/392-185-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5024-186-0x00000000700D0000-0x000000007011C000-memory.dmp

memory/5024-187-0x0000000070250000-0x00000000705A7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/392-203-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4952-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4604-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4952-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/392-213-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4604-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/392-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/392-219-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4604-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/392-222-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/392-225-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/392-228-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/392-231-0x0000000000400000-0x0000000002B0B000-memory.dmp