Malware Analysis Report

2024-12-08 02:07

Sample ID 240516-wd4tysgc4x
Target 1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096
SHA256 1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096
Tags
glupteba discovery dropper evasion execution loader persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096

Threat Level: Known bad

The file 1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2616 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1208 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1208 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 1208 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 1208 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 4180 wrote to memory of 3304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 3732 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 5060 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4180 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4180 wrote to memory of 1896 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 eff826d8-cce5-47df-980e-de70858d7d1e.uuid.allstatsin.ru udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.allstatsin.ru udp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
US 74.125.250.129:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.104:443 server3.allstatsin.ru tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1544-1-0x0000000002A70000-0x0000000002E77000-memory.dmp

memory/1544-2-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/1544-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3864-4-0x000000007473E000-0x000000007473F000-memory.dmp

memory/3864-5-0x0000000002500000-0x0000000002536000-memory.dmp

memory/3864-7-0x0000000005080000-0x00000000056A8000-memory.dmp

memory/3864-6-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3864-8-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3864-9-0x0000000004E30000-0x0000000004E52000-memory.dmp

memory/3864-10-0x0000000004FD0000-0x0000000005036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5cmevo1.skw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3864-20-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/3864-21-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/3864-22-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

memory/3864-23-0x0000000005E90000-0x0000000005EDC000-memory.dmp

memory/3864-24-0x0000000006350000-0x0000000006394000-memory.dmp

memory/3864-25-0x0000000006F10000-0x0000000006F86000-memory.dmp

memory/3864-26-0x0000000007810000-0x0000000007E8A000-memory.dmp

memory/3864-27-0x00000000071B0000-0x00000000071CA000-memory.dmp

memory/3864-30-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3864-29-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/3864-28-0x0000000007360000-0x0000000007392000-memory.dmp

memory/3864-42-0x00000000073C0000-0x0000000007463000-memory.dmp

memory/3864-41-0x00000000073A0000-0x00000000073BE000-memory.dmp

memory/3864-43-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3864-44-0x00000000074B0000-0x00000000074BA000-memory.dmp

memory/3864-31-0x0000000070750000-0x0000000070AA4000-memory.dmp

memory/3864-45-0x0000000007570000-0x0000000007606000-memory.dmp

memory/3864-46-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/3864-47-0x0000000007510000-0x000000000751E000-memory.dmp

memory/3864-48-0x0000000007520000-0x0000000007534000-memory.dmp

memory/3864-49-0x0000000007610000-0x000000000762A000-memory.dmp

memory/3864-50-0x0000000007550000-0x0000000007558000-memory.dmp

memory/3864-53-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/1208-55-0x0000000002950000-0x0000000002D54000-memory.dmp

memory/1544-56-0x0000000002A70000-0x0000000002E77000-memory.dmp

memory/1544-57-0x0000000002E80000-0x000000000376B000-memory.dmp

memory/2096-58-0x0000000005440000-0x0000000005794000-memory.dmp

memory/2096-68-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/2096-69-0x0000000070D50000-0x00000000710A4000-memory.dmp

memory/2096-79-0x0000000006C70000-0x0000000006D13000-memory.dmp

memory/2096-80-0x0000000006F80000-0x0000000006F91000-memory.dmp

memory/2096-81-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

memory/1544-82-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3224-85-0x0000000000FE0000-0x0000000001004000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7cf5f789ad2548e073190d5d0fc34b08
SHA1 316a23718dda91dbd95f854e6378812d02f6fe94
SHA256 5eb08abe21552381736a956a00ae8c1761ee6d85561fd4ecc8540f3a38e3ea58
SHA512 441403dca15b85a67d038d1d4b105960f6090d04c7bfd569ace8f0b809db821bd3396e2cbf320f9439cd15a012a4c266e9e48b73b5f0bd161ffc0fb39fc7a0dc

memory/4892-97-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/4892-98-0x0000000070D50000-0x00000000710A4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0366f0d71bcb6b15a8dc310635ec2435
SHA1 e3c53e619ded72c0eec7b88d01baedeac47a5ed8
SHA256 1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096
SHA512 f12eddb4b6ac5c056c2052a453abe364369bcb85a24fabd8583f2837289bb532d5855d00bcc36223a6111513d30032abc7775d3806cfc5729a487f15b1f7d8bd

memory/1208-112-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f881ab32f8339c17350a17c6f2482abe
SHA1 0eef4236c9575eb19a980f434a347cd48049607d
SHA256 8a2b212c55b8e4d1aff2eb79bd2900ba6f1e59601d7fdb6000b1a20c8fa13e6c
SHA512 91f136873a334814f5844b88ceda21c111389e429601387aa8a638d4c73b7b940eec988c77d4e6eab86ba42f63c0569988a3bcc1ad71c82a09c450ee0aee7ed1

memory/3304-125-0x00000000705D0000-0x000000007061C000-memory.dmp

memory/3304-126-0x0000000070750000-0x0000000070AA4000-memory.dmp

memory/3732-147-0x0000000005BE0000-0x0000000005F34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47d01339be1df753a03cabf46a62a3ac
SHA1 ff655a95fea30b62712fa61d84711f687c286003
SHA256 f938e21b993f2b933b70db60b608e938540372ca794ad57994dd30ac44569e6e
SHA512 52b2e3b6ef4f022e0f4adc4f6d989260b57e718cb3b82df6980970ddcd0ea687f4fe839c0580c7c0446a6c998fba1a88372d6f68b55bea44c5b58a8f6b7ac1f3

memory/3732-149-0x0000000006310000-0x000000000635C000-memory.dmp

memory/3732-150-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/3732-151-0x0000000070C80000-0x0000000070FD4000-memory.dmp

memory/3732-161-0x0000000007500000-0x00000000075A3000-memory.dmp

memory/3732-162-0x0000000006080000-0x0000000006091000-memory.dmp

memory/3732-163-0x00000000060C0000-0x00000000060D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ff9a0dd0be6b93747809791fb60eec3e
SHA1 609ec09adaaaf0191eee472ce3b28139cb32802c
SHA256 cccf1f6c4b2f7be7d8e3f444e29059465f909e98fce2e109fd72132ec7702441
SHA512 76e3ee7b78757c844d2b5eae4558a6a9db959a57f6f7bd7d559f9f1795c354ca2dc545cd8cfeb5e0e79da5cef1f26f1ee23689d95769828d232de4c4287cf9d9

memory/5060-175-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/5060-176-0x0000000070C80000-0x0000000070FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4180-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4180-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:49

Reported

2024-05-16 17:51

Platform

win11-20240419-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\system32\cmd.exe
PID 224 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4536 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 224 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 224 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 224 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe C:\Windows\rss\csrss.exe
PID 3112 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2156 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 4808 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2844 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2844 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2844 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 560 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3112 wrote to memory of 560 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe

"C:\Users\Admin\AppData\Local\Temp\1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 61e5f85f-485a-4ed6-bb0a-9d4ce563f667.uuid.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.allstatsin.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server10.allstatsin.ru tcp
N/A 127.0.0.1:31464 tcp
US 104.16.236.243:443 blockchain.info tcp

Files

memory/4300-1-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/4300-2-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4300-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3176-4-0x000000007498E000-0x000000007498F000-memory.dmp

memory/3176-5-0x00000000030A0000-0x00000000030D6000-memory.dmp

memory/3176-6-0x00000000057F0000-0x0000000005E1A000-memory.dmp

memory/3176-7-0x0000000074980000-0x0000000075131000-memory.dmp

memory/3176-8-0x0000000074980000-0x0000000075131000-memory.dmp

memory/3176-9-0x00000000056C0000-0x00000000056E2000-memory.dmp

memory/3176-10-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/3176-11-0x0000000005E20000-0x0000000005E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lea5pouz.iuh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3176-20-0x0000000006050000-0x00000000063A7000-memory.dmp

memory/3176-21-0x0000000006580000-0x000000000659E000-memory.dmp

memory/3176-22-0x00000000065C0000-0x000000000660C000-memory.dmp

memory/3176-23-0x00000000069A0000-0x00000000069E6000-memory.dmp

memory/3176-25-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/3176-32-0x0000000074980000-0x0000000075131000-memory.dmp

memory/3176-26-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/3176-24-0x00000000079A0000-0x00000000079D4000-memory.dmp

memory/3176-37-0x0000000007A00000-0x0000000007AA4000-memory.dmp

memory/3176-36-0x00000000079E0000-0x00000000079FE000-memory.dmp

memory/3176-38-0x0000000074980000-0x0000000075131000-memory.dmp

memory/3176-39-0x0000000008170000-0x00000000087EA000-memory.dmp

memory/3176-40-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/3176-41-0x0000000005440000-0x000000000544A000-memory.dmp

memory/3176-42-0x0000000007CA0000-0x0000000007D36000-memory.dmp

memory/3176-43-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/3176-44-0x0000000007C00000-0x0000000007C0E000-memory.dmp

memory/3176-45-0x0000000007C10000-0x0000000007C25000-memory.dmp

memory/3176-46-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/3176-47-0x0000000007C80000-0x0000000007C88000-memory.dmp

memory/3176-50-0x0000000074980000-0x0000000075131000-memory.dmp

memory/4300-52-0x0000000002A20000-0x0000000002E1F000-memory.dmp

memory/224-53-0x0000000002A20000-0x0000000002E1E000-memory.dmp

memory/1664-62-0x00000000059C0000-0x0000000005D17000-memory.dmp

memory/1664-63-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/1664-64-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/1664-73-0x00000000070D0000-0x0000000007174000-memory.dmp

memory/1664-74-0x0000000007360000-0x0000000007371000-memory.dmp

memory/4300-76-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4300-75-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1664-77-0x00000000073B0000-0x00000000073C5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4584-81-0x0000000005590000-0x00000000058E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5d2d7d1648c45e114d9ebff25e386c7
SHA1 c2eb51002aae0d825994bc2335ea919b9117a2ad
SHA256 49cbdcc97b49d7265766fe7f49597cb70e9025e14c3a0cac03d99f8c0640df18
SHA512 6bfe1e965140e2d2b3197e5581014595e5eacfc7eeca40256fa6b4af4bb3daf939dbb3cea3edf663b27451c0173b4c84fb91460f4905dc0940842af53bc3af35

memory/4584-91-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/4584-92-0x0000000070E40000-0x0000000071197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb6ac2bb4ac31240b210a9e7f2da5e25
SHA1 2fd249e3d80ea992cda36401d54276f3dd25b6fb
SHA256 c32b8672d4828038d4aaf4f4f18396459e669daeed78025e56c18757015fa508
SHA512 7d0d667e1ffba997c405e0baa153868568a258e5363e21be5a14dc7be6c97f03faa4bfc8aab36503278d9bfc5f88e7d6be3a556388d5461ad7d8bafc4c7d0920

memory/3740-112-0x0000000070E40000-0x0000000071197000-memory.dmp

memory/3740-111-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0366f0d71bcb6b15a8dc310635ec2435
SHA1 e3c53e619ded72c0eec7b88d01baedeac47a5ed8
SHA256 1fac81c43a34dfe91d46277cb2522cb1b0cd335741926a20f8681babf54cf096
SHA512 f12eddb4b6ac5c056c2052a453abe364369bcb85a24fabd8583f2837289bb532d5855d00bcc36223a6111513d30032abc7775d3806cfc5729a487f15b1f7d8bd

memory/224-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 62086b4035f666a3f0c4ea10824b4a93
SHA1 c82e2271db21166496a5155e5c1946537b5be62e
SHA256 113bd3617f19250253e9a6da337950b94283c1b6c7130a221d1aae1229d09a0b
SHA512 5679e33e05371c221836570ccd90fd6d66f9f8ec03b3434e72009ae7063f382e7e7ea4c880caaeee0eb818e9a4ab895529964074332a567dcb4126818d6c0095

memory/2156-139-0x0000000070D70000-0x00000000710C7000-memory.dmp

memory/2156-138-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/4808-157-0x0000000006240000-0x0000000006597000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b19aa20929d3656a2f29ee48ffc33d8
SHA1 5dd4ff14f8b81a95890c17fd7fed9c479c533d31
SHA256 7c0fa67e7033965554ad28fc696268bce2f16f2cba077b41f7a8bcb7dfa227e3
SHA512 d8788d9694b3e3bf6b7cec39a6c44b7866b262ee94ee93f8ab3ff5bef65201afa77036d190b3c5a92bc1f765d743bb7a78adc82a4112bfd12e4554348d233f38

memory/4808-159-0x0000000006840000-0x000000000688C000-memory.dmp

memory/4808-160-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/4808-161-0x0000000070D60000-0x00000000710B7000-memory.dmp

memory/4808-170-0x0000000007A30000-0x0000000007AD4000-memory.dmp

memory/4808-171-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

memory/4808-172-0x00000000065C0000-0x00000000065D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d8d63559cd63fce68641f379843f6e1
SHA1 1dc77a13c3864faf37c97d0908ae82be2751b395
SHA256 5d3c93528e19c9828577b6565f7a48281e7a603d55f861ca9eadf839c8d92968
SHA512 44532d7fc8f838f2eec50ddece08a5de721beb8e9a767b5d0f83098daf8afb304d177f85883a5cf3e7f178d84f9fa93271b6ddb1acecd92edc15d39fbcec3ea1

memory/2844-183-0x0000000005960000-0x0000000005CB7000-memory.dmp

memory/2844-184-0x0000000070B10000-0x0000000070B5C000-memory.dmp

memory/2844-185-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/3112-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3112-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-224-0x0000000000400000-0x0000000000D1C000-memory.dmp