Malware Analysis Report

2025-01-02 06:27

Sample ID 240516-e2hsysbh5y
Target bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36
SHA256 bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36
Tags
glupteba dropper loader discovery evasion execution persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36

Threat Level: Known bad

The file bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper loader discovery evasion execution persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:26

Reported

2024-05-16 04:28

Platform

win10v2004-20240426-en

Max time kernel

1s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe

"C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe"

Network

Files

memory/3224-1-0x0000000002930000-0x0000000002D2E000-memory.dmp

memory/3224-2-0x0000000002D30000-0x000000000361B000-memory.dmp

memory/3224-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:26

Reported

2024-05-16 04:28

Platform

win11-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3672 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\system32\cmd.exe
PID 956 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\system32\cmd.exe
PID 3400 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3400 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 956 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\rss\csrss.exe
PID 956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\rss\csrss.exe
PID 956 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe C:\Windows\rss\csrss.exe
PID 4624 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 4372 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 3544 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 1824 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4624 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4624 wrote to memory of 4520 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4888 wrote to memory of 3556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 3556 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3556 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3556 wrote to memory of 1140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe

"C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe

"C:\Users\Admin\AppData\Local\Temp\bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cabc4f2c-e732-43ee-a87e-fd220c92a4d6.uuid.alldatadump.org udp
US 8.8.8.8:53 server9.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server9.alldatadump.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server9.alldatadump.org tcp
NL 52.111.243.30:443 tcp
BG 185.82.216.108:443 server9.alldatadump.org tcp
BG 185.82.216.108:443 server9.alldatadump.org tcp

Files

memory/3672-1-0x0000000002A90000-0x0000000002E8C000-memory.dmp

memory/3672-2-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/3672-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4768-4-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/4768-5-0x0000000002E10000-0x0000000002E46000-memory.dmp

memory/4768-6-0x0000000005520000-0x0000000005B4A000-memory.dmp

memory/4768-7-0x0000000074DF0000-0x00000000755A1000-memory.dmp

memory/4768-8-0x0000000074DF0000-0x00000000755A1000-memory.dmp

memory/4768-9-0x0000000005430000-0x0000000005452000-memory.dmp

memory/4768-11-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/4768-10-0x0000000005B50000-0x0000000005BB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0kuwtaoy.go0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4768-20-0x0000000005CB0000-0x0000000006007000-memory.dmp

memory/4768-21-0x00000000062F0000-0x000000000630E000-memory.dmp

memory/4768-22-0x0000000006320000-0x000000000636C000-memory.dmp

memory/4768-23-0x0000000006840000-0x0000000006886000-memory.dmp

memory/4768-24-0x0000000007710000-0x0000000007744000-memory.dmp

memory/4768-26-0x0000000071060000-0x00000000710AC000-memory.dmp

memory/4768-25-0x0000000074DF0000-0x00000000755A1000-memory.dmp

memory/4768-27-0x0000000071270000-0x00000000715C7000-memory.dmp

memory/4768-36-0x0000000007750000-0x000000000776E000-memory.dmp

memory/4768-37-0x0000000007770000-0x0000000007814000-memory.dmp

memory/4768-38-0x0000000074DF0000-0x00000000755A1000-memory.dmp

memory/4768-39-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/4768-40-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/4768-41-0x00000000078E0000-0x00000000078EA000-memory.dmp

memory/4768-42-0x00000000079A0000-0x0000000007A36000-memory.dmp

memory/4768-43-0x0000000007910000-0x0000000007921000-memory.dmp

memory/4768-44-0x0000000007950000-0x000000000795E000-memory.dmp

memory/4768-45-0x0000000007960000-0x0000000007975000-memory.dmp

memory/4768-46-0x0000000007A60000-0x0000000007A7A000-memory.dmp

memory/4768-47-0x0000000007A50000-0x0000000007A58000-memory.dmp

memory/4768-50-0x0000000074DF0000-0x00000000755A1000-memory.dmp

memory/956-52-0x0000000002A30000-0x0000000002E30000-memory.dmp

memory/2432-61-0x00000000057E0000-0x0000000005B37000-memory.dmp

memory/2432-62-0x0000000071060000-0x00000000710AC000-memory.dmp

memory/2432-63-0x00000000712B0000-0x0000000071607000-memory.dmp

memory/2432-72-0x0000000006ED0000-0x0000000006F74000-memory.dmp

memory/2432-73-0x0000000007220000-0x0000000007231000-memory.dmp

memory/2432-74-0x0000000007270000-0x0000000007285000-memory.dmp

memory/3672-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3672-76-0x0000000002A90000-0x0000000002E8C000-memory.dmp

memory/3672-77-0x0000000002E90000-0x000000000377B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 49c044166546ea1ccd6f61800c440fbe
SHA1 cfa3a8669e41e64e968012cfef6f37298585fd36
SHA256 85c205dd4a82cabc7e51411825e07a08d4d6d795404d6a98939a6362cb39d00d
SHA512 dbc5e1a45d2400355b475a41db582179b91acb0088d2f847a7bfee10bdd6e755f23e1a619cbd8d99317f09f16e8771cd810e2ac04d2e7d600cd1529793d2e95e

memory/4864-90-0x0000000071060000-0x00000000710AC000-memory.dmp

memory/4864-91-0x0000000071270000-0x00000000715C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 17d344c7719a622bbbab0d970442404d
SHA1 2518deeaa9c77e7f5dc886a4e1030ff1efccb1ab
SHA256 343788e4b0b96d863fde346631942bf225114db2e85d7710e347b6f2ddb0682b
SHA512 be46bfbd2b2b240b02908f095aee8ae0e0ce58cd92090d6974e0d0c58ae41266245411c46696cecfe714ef4200e40e53ee9f8b1bab1413a6da181ec258d252c5

memory/416-110-0x0000000071060000-0x00000000710AC000-memory.dmp

memory/416-111-0x0000000071270000-0x00000000715C7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 393ae5f8768a1ee7c0be487ed7de4b91
SHA1 f1ff2e591b450b20f62469767215527fdab4bce7
SHA256 bcb9e13132021147e43c99bca20197ce0632459fa45b2e1d144dcb6880e69d36
SHA512 3c32ee01456b6d6ad8bc29f68113077d429aec93c37f6e1e99e80bd013358713535ed6d24bfc00084c12bb2dc4762be9cfda7fbf87dcf738a8543ada453faec1

memory/956-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4372-135-0x00000000063C0000-0x0000000006717000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1f5db7c65ba57f1559f49788c62f5133
SHA1 e3b30ff65bbef524387e2cb67b1657d9cfecfc26
SHA256 2bc305af2adbc384f12a4e1d879c5a894d309a91ef7626a0aa2da6844684075f
SHA512 38619579db7ff04c904bafde459dbeff6c252b7cc3614e531adb3509c5a4bb110a13cec1d86a0fea97a7ea4ba983c4a4d61420ee5335b970cc6ca9028d1b54cb

memory/4372-137-0x0000000071060000-0x00000000710AC000-memory.dmp

memory/4372-138-0x00000000711E0000-0x0000000071537000-memory.dmp

memory/3544-157-0x0000000005AD0000-0x0000000005E27000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4b12ce57c041076dfe5049c01ac99f8b
SHA1 40ed2ffa8910dd913f0256b4f40e7d83895f907d
SHA256 c5755e64350a95dfc1efd1ade00380d03bd00acd3f0ad2fa337599119e0a63e9
SHA512 8461cfe69168700b53f9ed0f84addc1ff2ef734d7a11beb2ddd8b8171ebfa2a669c4f7a32f4c4456903f7c49e35f37a0c88ea71299b8ff4800fd5198d12e4abe

memory/3544-159-0x0000000006550000-0x000000000659C000-memory.dmp

memory/3544-160-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/3544-161-0x00000000711D0000-0x0000000071527000-memory.dmp

memory/3544-170-0x00000000072E0000-0x0000000007384000-memory.dmp

memory/3544-171-0x0000000007620000-0x0000000007631000-memory.dmp

memory/3544-172-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/1824-182-0x0000000005E70000-0x00000000061C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 41219de1f9d9a0039e9412fde8d91550
SHA1 2fb4821413fbd02481db1ea5a3b496778d6e5573
SHA256 87fae8f90b78cf14e9a4595f5aca0520ffafa4167a87911f98f8026ffa705a76
SHA512 28650d3997799299e82e468c6af5fb1895bffaf4bffde500746a84694475f065e73f67f7fadb15cbcbf5a2887c791cc373d54671d6f4be03640504df8ef6d77d

memory/1824-184-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/1824-185-0x0000000071100000-0x0000000071457000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4624-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4888-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3132-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4888-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4624-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3132-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4624-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3132-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4624-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-244-0x0000000000400000-0x0000000000D1C000-memory.dmp