Malware Analysis Report

2025-01-02 06:32

Sample ID 240515-xwt8xafg34
Target cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135
SHA256 cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135
Tags
glupteba dropper evasion execution loader discovery persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135

Threat Level: Known bad

The file cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader discovery persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 19:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 19:12

Reported

2024-05-15 19:15

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

178s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5016 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\system32\cmd.exe
PID 1076 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\system32\cmd.exe
PID 184 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 184 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1076 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1076 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/5016-1-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/5016-2-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/5016-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5016-4-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5016-5-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5016-6-0x00000000048F0000-0x0000000004CF4000-memory.dmp

memory/2912-8-0x000000007415E000-0x000000007415F000-memory.dmp

memory/5016-7-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/5016-9-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2912-11-0x0000000074150000-0x0000000074900000-memory.dmp

memory/2912-12-0x0000000003170000-0x00000000031A6000-memory.dmp

memory/2912-13-0x0000000074150000-0x0000000074900000-memory.dmp

memory/2912-14-0x0000000005960000-0x0000000005F88000-memory.dmp

memory/2912-15-0x0000000005830000-0x0000000005852000-memory.dmp

memory/2912-16-0x0000000005F90000-0x0000000005FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuoy0ffw.lrs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2912-22-0x0000000006130000-0x0000000006196000-memory.dmp

memory/2912-27-0x00000000061A0000-0x00000000064F4000-memory.dmp

memory/2912-28-0x0000000006660000-0x000000000667E000-memory.dmp

memory/2912-30-0x0000000006D60000-0x0000000006DAC000-memory.dmp

memory/2912-31-0x0000000006B60000-0x0000000006BA4000-memory.dmp

memory/2912-32-0x0000000074150000-0x0000000074900000-memory.dmp

memory/2912-33-0x0000000007AB0000-0x0000000007B26000-memory.dmp

memory/2912-34-0x0000000008230000-0x00000000088AA000-memory.dmp

memory/2912-35-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/2912-36-0x000000007415E000-0x000000007415F000-memory.dmp

memory/2912-38-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5016-37-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2912-40-0x000000006FFF0000-0x000000007003C000-memory.dmp

memory/2912-39-0x0000000007DB0000-0x0000000007DE2000-memory.dmp

memory/2912-41-0x0000000070180000-0x00000000704D4000-memory.dmp

memory/2912-51-0x0000000007D90000-0x0000000007DAE000-memory.dmp

memory/2912-52-0x0000000007DF0000-0x0000000007E93000-memory.dmp

memory/2912-53-0x0000000007EE0000-0x0000000007EEA000-memory.dmp

memory/2912-54-0x0000000007FF0000-0x0000000008086000-memory.dmp

memory/2912-55-0x0000000007EF0000-0x0000000007F01000-memory.dmp

memory/2912-56-0x0000000074150000-0x0000000074900000-memory.dmp

memory/2912-57-0x0000000007F30000-0x0000000007F3E000-memory.dmp

memory/2912-58-0x0000000007F50000-0x0000000007F64000-memory.dmp

memory/2912-59-0x0000000007F90000-0x0000000007FAA000-memory.dmp

memory/2912-60-0x0000000007F80000-0x0000000007F88000-memory.dmp

memory/2912-63-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5016-64-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5016-67-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5016-66-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4460-77-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/4460-78-0x0000000006800000-0x000000000684C000-memory.dmp

memory/4460-79-0x00000000700F0000-0x000000007013C000-memory.dmp

memory/4460-80-0x0000000070270000-0x00000000705C4000-memory.dmp

memory/4460-90-0x0000000007A10000-0x0000000007AB3000-memory.dmp

memory/4460-91-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/4460-93-0x0000000007D60000-0x0000000007D74000-memory.dmp

memory/1076-92-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6273284463b0786ea08d5de72937487f
SHA1 3d15020acdca1df76d7fdfe38c84c1ea9eaffa9e
SHA256 e4e25e36407b789391c06c03de73eac622ddd34d47d1c2eb206ee69fde8827f9
SHA512 30caea9e5df8fb2dd1e927dd1c97139f95e687e2d9c4d6129c3cfda05bb620a06a4c9c6f8d272084effb301da3501477d3c7c9b6e3c42c48d0f1f13ab2714294

memory/4988-108-0x0000000070270000-0x00000000705C4000-memory.dmp

memory/4988-107-0x00000000700F0000-0x000000007013C000-memory.dmp

memory/3148-128-0x0000000005C20000-0x0000000005F74000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 25b19c7a9a3fa9e037d84552ae277353
SHA1 a1825836cfe49b4644b5c39feecb732bef706505
SHA256 d9ec02c9beb7feeec15e323f490f809a0f6c457ac35b150845c5388efc593693
SHA512 1521e8a4e010d0632d445dd8ec9c6fe3ea226b010befb97d8b1e158c05b52b66a587f58931ea24dd1c1becd73bbc702f568707fd699dcd6f238074193e03f234

memory/3148-130-0x00000000700F0000-0x000000007013C000-memory.dmp

memory/3148-131-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/1076-141-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0ef5a682155fd44de2d9f2d89c1df0aa
SHA1 51589036aab8d59c45d4d7f0f537e05edb9de443
SHA256 cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135
SHA512 e5a1ab422677f8d539d3c7be80e54c48c1abdffe493e87c912932ab5815d989f48cd1b17ffc84644f7c9747756bc01562c97bbab6e38b4f1b45c57d11015a027

memory/1076-148-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 19:12

Reported

2024-05-15 19:15

Platform

win11-20240426-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4816 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\system32\cmd.exe
PID 1508 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\system32\cmd.exe
PID 3684 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3684 wrote to memory of 3816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1508 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\rss\csrss.exe
PID 1508 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\rss\csrss.exe
PID 1508 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe C:\Windows\rss\csrss.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1028 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 3572 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1580 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2592 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4520 wrote to memory of 1280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 1280 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1280 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1280 wrote to memory of 1380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe

"C:\Users\Admin\AppData\Local\Temp\cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ac306c17-673c-4c34-8c77-a20bad292b2c.uuid.dumppage.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/4816-1-0x00000000049D0000-0x0000000004DD8000-memory.dmp

memory/4816-2-0x0000000004DE0000-0x00000000056CB000-memory.dmp

memory/4816-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1692-4-0x000000007405E000-0x000000007405F000-memory.dmp

memory/1692-5-0x0000000002D30000-0x0000000002D66000-memory.dmp

memory/1692-6-0x00000000054C0000-0x0000000005AEA000-memory.dmp

memory/1692-7-0x0000000074050000-0x0000000074801000-memory.dmp

memory/1692-8-0x0000000005B60000-0x0000000005B82000-memory.dmp

memory/1692-9-0x0000000005C00000-0x0000000005C66000-memory.dmp

memory/1692-10-0x0000000005C70000-0x0000000005CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiz1ra2j.hso.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1692-19-0x0000000074050000-0x0000000074801000-memory.dmp

memory/1692-20-0x0000000005CE0000-0x0000000006037000-memory.dmp

memory/1692-21-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/1692-22-0x0000000006230000-0x000000000627C000-memory.dmp

memory/1692-23-0x0000000006750000-0x0000000006796000-memory.dmp

memory/1692-25-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/1692-26-0x0000000074050000-0x0000000074801000-memory.dmp

memory/1692-27-0x00000000704D0000-0x0000000070827000-memory.dmp

memory/1692-24-0x0000000007610000-0x0000000007644000-memory.dmp

memory/1692-37-0x0000000007670000-0x0000000007714000-memory.dmp

memory/1692-36-0x0000000007650000-0x000000000766E000-memory.dmp

memory/1692-40-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/1692-41-0x00000000077E0000-0x00000000077EA000-memory.dmp

memory/1692-39-0x0000000007DE0000-0x000000000845A000-memory.dmp

memory/1692-38-0x0000000074050000-0x0000000074801000-memory.dmp

memory/1692-42-0x00000000078F0000-0x0000000007986000-memory.dmp

memory/1692-43-0x0000000007800000-0x0000000007811000-memory.dmp

memory/1692-44-0x0000000007850000-0x000000000785E000-memory.dmp

memory/1692-45-0x0000000007860000-0x0000000007875000-memory.dmp

memory/1692-46-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/1692-47-0x00000000078D0000-0x00000000078D8000-memory.dmp

memory/1692-50-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4816-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4816-53-0x00000000049D0000-0x0000000004DD8000-memory.dmp

memory/4816-54-0x0000000004DE0000-0x00000000056CB000-memory.dmp

memory/2172-63-0x0000000005AC0000-0x0000000005E17000-memory.dmp

memory/2172-64-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/2172-65-0x00000000704F0000-0x0000000070847000-memory.dmp

memory/2172-74-0x00000000072F0000-0x0000000007394000-memory.dmp

memory/2172-75-0x0000000007610000-0x0000000007621000-memory.dmp

memory/2172-76-0x0000000007660000-0x0000000007675000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2984-88-0x0000000005780000-0x0000000005AD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 371ce85e8a771e8f0f73509d36f82f5f
SHA1 932c1cb86a9fd452dce2fd1100f4a30b8721eaaa
SHA256 14e594db44b831bc11dfe2f6ed1b9b10127e79090aee9da3799024fc9c089058
SHA512 563e6c559ecbe64db0c539527f376f152d5be58695fdf81c19e65aa5f435d78dfc8d3cd6aa87789a4f6bebceacf92562e0d002a6a1bbb3e90d65d7f5ce9e3baf

memory/2984-91-0x0000000070440000-0x0000000070797000-memory.dmp

memory/2984-90-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3948-101-0x0000000005A10000-0x0000000005D67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d458870a8f97e4fdcb87599b68676cf0
SHA1 aa99881fbad74e1347e9dc52940f16d1cdeddd22
SHA256 4ee57876270560af0d5b4c9ddab0e33dbeeef65dc43b67ae97dc3dc88d1d8182
SHA512 49332c3c6e623c1b5f80d36335dbce1ec01e1a5ec70d14dd70c303e8322a8ba1ce3693d12b4e9d689f9b41febca618ccbfdd58d2a4fed8cc14a7c03b8b1234dd

memory/3948-111-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3948-112-0x0000000070510000-0x0000000070867000-memory.dmp

memory/4816-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1508-122-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0ef5a682155fd44de2d9f2d89c1df0aa
SHA1 51589036aab8d59c45d4d7f0f537e05edb9de443
SHA256 cb40b2e1277994f9c7ffb75d3f391350b6a30905fc1ca82ee6c21cca424cd135
SHA512 e5a1ab422677f8d539d3c7be80e54c48c1abdffe493e87c912932ab5815d989f48cd1b17ffc84644f7c9747756bc01562c97bbab6e38b4f1b45c57d11015a027

memory/1508-128-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 78653d13c1c091ceea20ff87e10bc9af
SHA1 95ce3baaa4416701d7e9e04c59858452ce27cbab
SHA256 0753954d58eafba127370d3e0f60e2bc52168b0f448997f261e0be5d7cdc52de
SHA512 3dd8116c24234028a7d8480a3febe0fd1ab56b4f4ae04b669955b176e22401eaeab84aaa5743cbbb1cb773a425875f7c90542cdad2d728f6b4e5b23d8cb6d178

memory/1028-141-0x0000000070440000-0x0000000070797000-memory.dmp

memory/1028-140-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3572-159-0x00000000056F0000-0x0000000005A47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd7c7c699504b0b4fe19363948237977
SHA1 a084adced3d8be436b7e11cacfac7a3bf8173820
SHA256 4a65731c7ead991073a8b06a97ac6bf89f840de7b61671222074fd72bb0256d1
SHA512 fc1b702872bbcfd5b5b004eb6337e67a3aea9f73ac211daeec8d3e17d00f9876c6e9ca6f2d2527b42bd24ec248291f9767a8776ce32cdec337ab57bc7bb7fcad

memory/3572-161-0x0000000006240000-0x000000000628C000-memory.dmp

memory/3572-162-0x00000000701E0000-0x000000007022C000-memory.dmp

memory/3572-163-0x0000000070360000-0x00000000706B7000-memory.dmp

memory/3572-172-0x0000000006EB0000-0x0000000006F54000-memory.dmp

memory/3572-173-0x0000000007200000-0x0000000007211000-memory.dmp

memory/3572-175-0x00000000055C0000-0x00000000055D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 30691067136aeae7ddef748a0a6b908f
SHA1 38c6ab9fb8475af8694434bc916780e016ef4027
SHA256 c6d2ee627c32578ff394f009475460dbb500960f48fb9bf1315f3c34ae9f23e6
SHA512 5a1ac7f8db835adbd08f0cdbc6b93658233b42ffb7fc57d17bbf0328c4579fc72dcd25ff93ea5d94c0946e407e22b6a5a25a4ae9331b34f6317c49bf66ba671c

memory/1580-186-0x00000000701E0000-0x000000007022C000-memory.dmp

memory/1580-187-0x0000000070360000-0x00000000706B7000-memory.dmp

memory/2592-196-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2592-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4520-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1164-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4520-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1164-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1164-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2592-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2592-241-0x0000000000400000-0x0000000002B0B000-memory.dmp