Malware Analysis Report

2025-01-02 06:42

Sample ID 240515-xw995afg47
Target 6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb
SHA256 6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb

Threat Level: Known bad

The file 6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:13

Reported

2024-05-15 19:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4344 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5096 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4180 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\rss\csrss.exe
PID 4180 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\rss\csrss.exe
PID 4180 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe C:\Windows\rss\csrss.exe
PID 2396 wrote to memory of 3236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 3236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 3236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 4192 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2396 wrote to memory of 3032 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 720 wrote to memory of 2256 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2256 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2256 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2256 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2256 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 020f3941-e2a2-4dc0-b1d5-917e823c3d7d.uuid.statsexplorer.org udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun3.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp

Files

memory/4344-1-0x0000000004790000-0x0000000004B89000-memory.dmp

memory/4344-2-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/4344-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1600-5-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/1600-6-0x0000000002920000-0x0000000002956000-memory.dmp

memory/1600-7-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/1600-8-0x0000000005160000-0x0000000005788000-memory.dmp

memory/1600-9-0x0000000004F30000-0x0000000004F52000-memory.dmp

memory/1600-10-0x0000000005800000-0x0000000005866000-memory.dmp

memory/1600-11-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udmqj4q2.sch.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1600-21-0x0000000005A50000-0x0000000005DA4000-memory.dmp

memory/1600-23-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/1600-22-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

memory/1600-24-0x0000000006450000-0x0000000006494000-memory.dmp

memory/1600-25-0x0000000007020000-0x0000000007096000-memory.dmp

memory/1600-26-0x0000000007950000-0x0000000007FCA000-memory.dmp

memory/1600-27-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/1600-29-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/1600-30-0x000000006FF40000-0x000000006FF8C000-memory.dmp

memory/1600-28-0x0000000007480000-0x00000000074B2000-memory.dmp

memory/1600-31-0x00000000700C0000-0x0000000070414000-memory.dmp

memory/1600-41-0x00000000074C0000-0x00000000074DE000-memory.dmp

memory/1600-42-0x00000000074E0000-0x0000000007583000-memory.dmp

memory/1600-43-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/1600-44-0x00000000075D0000-0x00000000075DA000-memory.dmp

memory/1600-45-0x00000000076E0000-0x0000000007776000-memory.dmp

memory/1600-46-0x00000000075E0000-0x00000000075F1000-memory.dmp

memory/1600-47-0x0000000007620000-0x000000000762E000-memory.dmp

memory/1600-48-0x0000000007640000-0x0000000007654000-memory.dmp

memory/1600-49-0x0000000007690000-0x00000000076AA000-memory.dmp

memory/1600-50-0x0000000007680000-0x0000000007688000-memory.dmp

memory/1600-53-0x00000000740A0000-0x0000000074850000-memory.dmp

memory/4344-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-57-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/4344-54-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/372-65-0x0000000005DA0000-0x00000000060F4000-memory.dmp

memory/372-68-0x0000000006400000-0x000000000644C000-memory.dmp

memory/372-69-0x0000000070040000-0x000000007008C000-memory.dmp

memory/372-70-0x00000000707E0000-0x0000000070B34000-memory.dmp

memory/372-80-0x0000000007590000-0x0000000007633000-memory.dmp

memory/372-81-0x00000000078C0000-0x00000000078D1000-memory.dmp

memory/372-82-0x0000000007910000-0x0000000007924000-memory.dmp

memory/4180-83-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3276-96-0x0000000006520000-0x0000000006874000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ae78f79d52f5cf6d27ced56cf35ea47
SHA1 c0d03f553d61c8cd7548a1c564afec7ad6dbf069
SHA256 a50b5eaf8a11b305b91f16e7482f36ead4b1c42b4a4623617f0277ebcb89a626
SHA512 d99e28ae70817b9dc95767772c37d4ac4a0ee23993a8abb8b0de056034c262b9c3998f52451a6d31dffec4833f6c833272e7415c0dfa76192ee2635128bc77d0

memory/3276-98-0x0000000070040000-0x000000007008C000-memory.dmp

memory/3276-99-0x00000000701C0000-0x0000000070514000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3f1796388b33b09bc34aa0a3598cdc0
SHA1 88905460c34e7ab14a529e815344192618164a06
SHA256 5d6d3dad1e8222cb0d158c15575c177812f2a9a99fbb020eb8ebd6671ff4e88f
SHA512 f44ed26175e5f51591443eef2c744bca8bc4398168ca6fc371fb4742be2bf72b0b6100bbeb035ef702d75441d94842a671280a966b060560c84b54ae2d1ed453

memory/5104-120-0x0000000070040000-0x000000007008C000-memory.dmp

memory/5104-121-0x00000000707E0000-0x0000000070B34000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4f3ab3c0644fc5d8b028eadaf86465e6
SHA1 03ce9f9bb4278e899a53ca5d20294c8da12689e4
SHA256 6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb
SHA512 be1c4587aebb990f062f4fee5aea2a8bfe47a683a4708c6a00dc56bee0a1d9e07ed0bb0d567de49e2260147d8d779c71c8fdde6fbdc667d9ec20b05cb30f59dc

memory/4180-137-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3236-147-0x0000000006140000-0x0000000006494000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dfcf00bbb51228844d4e11a3eb2ff065
SHA1 2c479590f316b005bd63709105d0e4f97371093c
SHA256 e24a93c96a9468dbfb45bd258f3dbd0e40349c3252ae973d6d1d32a635399e59
SHA512 496ca1f94563c113a400c5368ddba462d2e02de77ef918dde356379e55eeaa78baf8a55795ad474f346e759b7c8f3c3917de05be9dfa5aa24c954f40b12be0da

memory/3236-149-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/3236-150-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/3236-151-0x0000000070140000-0x0000000070494000-memory.dmp

memory/3236-161-0x00000000078F0000-0x0000000007993000-memory.dmp

memory/3236-162-0x0000000007C10000-0x0000000007C21000-memory.dmp

memory/2396-164-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3236-165-0x00000000064C0000-0x00000000064D4000-memory.dmp

memory/4028-176-0x0000000005B90000-0x0000000005EE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad6f599c45f72d76f1963ab5398d5039
SHA1 73c73980cacf756ab9a1938af0c98286c7df1aec
SHA256 e53d74a8b7ec36127526c6bccc164d6c3b4938ddf7c8ddf24bc4169679d52dbd
SHA512 376b442c67d08adb436450b2a00418efa51fa1adc18afa7936678d008e7810bae99aafffda73c3c69500c47a2fe4fc0d91e4d3b00fde18beb3a15f31a8ceea59

memory/4028-178-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/4028-179-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

memory/4028-180-0x0000000070040000-0x0000000070394000-memory.dmp

memory/4028-190-0x00000000072A0000-0x0000000007343000-memory.dmp

memory/4028-191-0x0000000007620000-0x0000000007631000-memory.dmp

memory/4028-192-0x0000000005AE0000-0x0000000005AF4000-memory.dmp

memory/4192-194-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 761751de0496e1c8a91182de7df783e8
SHA1 46ff7f11fb260252412d9da36aa5627c4f38cd13
SHA256 f46712550f1cc412417a89087637beea1dde206ae6dbb30ce7312bdfa397ade5
SHA512 027c026a7aca1d72528022673ca6bf9088388d320d0ae2a826676208626e103553f7d5473088e29ff210261dbeecd101f1253ddbae66c463667918ecde10d81c

memory/4192-205-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

memory/4192-206-0x0000000070660000-0x00000000709B4000-memory.dmp

memory/2396-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/720-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4332-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/720-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2396-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4332-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2396-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4332-243-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2396-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-251-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2396-254-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:13

Reported

2024-05-15 19:16

Platform

win11-20240426-en

Max time kernel

9s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe

"C:\Users\Admin\AppData\Local\Temp\6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 127e81ac-ae0d-43bd-a566-7a4612d62470.uuid.statsexplorer.org udp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 52.111.229.43:443 tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp

Files

memory/956-1-0x00000000049B0000-0x0000000004DAF000-memory.dmp

memory/956-2-0x0000000004DB0000-0x000000000569B000-memory.dmp

memory/956-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4136-4-0x000000007478E000-0x000000007478F000-memory.dmp

memory/4136-5-0x0000000004E20000-0x0000000004E56000-memory.dmp

memory/4136-7-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/4136-6-0x0000000005550000-0x0000000005B7A000-memory.dmp

memory/4136-9-0x0000000005440000-0x0000000005462000-memory.dmp

memory/4136-8-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/4136-10-0x0000000005D30000-0x0000000005D96000-memory.dmp

memory/4136-11-0x0000000005DA0000-0x0000000005E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbnklb1d.p0j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4136-20-0x0000000005E10000-0x0000000006167000-memory.dmp

memory/4136-21-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/4136-22-0x0000000006320000-0x000000000636C000-memory.dmp

memory/4136-23-0x0000000006890000-0x00000000068D6000-memory.dmp

memory/4136-24-0x0000000007700000-0x0000000007734000-memory.dmp

memory/4136-25-0x00000000709F0000-0x0000000070A3C000-memory.dmp

memory/4136-36-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/4136-35-0x0000000007740000-0x000000000775E000-memory.dmp

memory/4136-37-0x0000000007760000-0x0000000007804000-memory.dmp

memory/4136-38-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/4136-26-0x0000000070B70000-0x0000000070EC7000-memory.dmp

memory/4136-40-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/4136-39-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/4136-41-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/4136-42-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/4136-43-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/4136-44-0x0000000007940000-0x000000000794E000-memory.dmp

memory/4136-45-0x0000000007950000-0x0000000007965000-memory.dmp

memory/4136-46-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/4136-47-0x00000000079C0000-0x00000000079C8000-memory.dmp

memory/4136-50-0x0000000074780000-0x0000000074F31000-memory.dmp

memory/956-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/956-54-0x0000000004DB0000-0x000000000569B000-memory.dmp

memory/956-51-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2824-63-0x0000000005770000-0x0000000005AC7000-memory.dmp

memory/2824-64-0x0000000005C90000-0x0000000005CDC000-memory.dmp

memory/2824-65-0x0000000070B00000-0x0000000070B4C000-memory.dmp

memory/2824-75-0x0000000006E60000-0x0000000006F04000-memory.dmp

memory/2824-66-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

memory/2824-76-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/2824-77-0x00000000071E0000-0x00000000071F5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56776449685758a311fc2a58c966e072
SHA1 ddfb960adb4300598229c73acaa5b47d23c5f4d2
SHA256 3173b4890e4f1859fa00345396304a1081b44dc4f54fc7332ca5c603817bc18a
SHA512 889279af03a1686010f56672eec2511761461d7fb5c9e8348f0d04ea5cf2114104b62e4a4b2763f19a984931d61f337a54bddb950d65031348a1108809eea1d9

memory/3776-91-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

memory/3776-90-0x0000000070B00000-0x0000000070B4C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c8c0831c3d69cf719b543e4809954d52
SHA1 3aed07dc8d1e43587cb3ac7488b8787e74ca4109
SHA256 f7566d2544a8092426509d5e54857486a557499c21b489e39dc5059fbd797b95
SHA512 6961613398ee30cb24f65e72c03107d1ddac019c203abd535040ecbbee29df9d048414960c61502055bf565f83c3282aa9d7b3a6a31ba89c3471d6a84764bf7c

memory/3124-109-0x00000000055F0000-0x0000000005947000-memory.dmp

memory/3124-112-0x0000000070CF0000-0x0000000071047000-memory.dmp

memory/3124-111-0x0000000070B00000-0x0000000070B4C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4f3ab3c0644fc5d8b028eadaf86465e6
SHA1 03ce9f9bb4278e899a53ca5d20294c8da12689e4
SHA256 6dacbc01ec6697ed45f887e8b5a6905081c6beaa7ea448585528a4bf01b198cb
SHA512 be1c4587aebb990f062f4fee5aea2a8bfe47a683a4708c6a00dc56bee0a1d9e07ed0bb0d567de49e2260147d8d779c71c8fdde6fbdc667d9ec20b05cb30f59dc

memory/1028-126-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1892-133-0x0000000005570000-0x00000000058C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c3d3acb42118370aad6778eabc9f5ec9
SHA1 07835df500e3a64c5749997cf1f755656d65fb6d
SHA256 673eb8d9506e1373e217e6347704f3e31c926d69d1a22571834657d3a960e160
SHA512 07a0a4ff8cee21be3f2f80d0513abebcf077e3dbed016471c66d53e310969b33789c3e3215aa02459950c2bfed2005b0b12c5893f42b86cc58fb4d940147597c

memory/1892-138-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/1892-139-0x0000000070A60000-0x0000000070AAC000-memory.dmp

memory/1892-140-0x0000000070CB0000-0x0000000071007000-memory.dmp

memory/1892-149-0x0000000006DC0000-0x0000000006E64000-memory.dmp

memory/1892-150-0x0000000007110000-0x0000000007121000-memory.dmp

memory/1892-151-0x0000000005950000-0x0000000005965000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b777bd8e1ffa69276d25e0fb11f94b43
SHA1 55eea4b10810f40a897488065b74ec97914f4b44
SHA256 2a67a3066cf36a4fb22d229f15de6710a6ef9b60b072a30717250ab268c49e5b
SHA512 cf4e03f46398003a02f12f3efa2cd82160e5b7a3233cf5d819b08e2385fdd66644ab37c72997aaac7f22423cb028eada8ad7f235e3720d8d8b32ab2002a4387e

memory/692-161-0x0000000006450000-0x00000000067A7000-memory.dmp

memory/692-163-0x0000000006950000-0x000000000699C000-memory.dmp

memory/692-165-0x0000000070B00000-0x0000000070E57000-memory.dmp

memory/692-164-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/692-174-0x0000000007BB0000-0x0000000007C54000-memory.dmp

memory/692-175-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/692-176-0x00000000063E0000-0x00000000063F5000-memory.dmp

memory/3088-183-0x0000000005780000-0x0000000005AD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8db11a2a5f03219560dd25d4e60da310
SHA1 549756b5cfb23186963c64743b379aed7bee34d8
SHA256 998c382676ef1b65bd79915ede098d4b74488c6b5f844d399c621e0d8669abe5
SHA512 c0f4a89418241b8b24b4a76ef7ac79b47f607481ad3933bbe3481fd9e3cca17decaade7eeb84bab43960038936db642422cbdb7395426d2e2633b3a5110cc8e4

memory/3088-189-0x0000000070BD0000-0x0000000070F27000-memory.dmp

memory/3088-188-0x0000000070980000-0x00000000709CC000-memory.dmp

memory/3820-199-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/248-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/248-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3820-210-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1596-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1596-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3820-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1596-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3820-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3820-245-0x0000000000400000-0x0000000002B0B000-memory.dmp