Malware Analysis Report

2024-12-08 02:04

Sample ID 240516-wgf73agd8w
Target 603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459
SHA256 603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459

Threat Level: Known bad

The file 603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:53

Reported

2024-05-16 17:55

Platform

win11-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\system32\cmd.exe
PID 1160 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1160 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 2948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 2948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 1772 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2116 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 72 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 72 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 72 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4744 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 4472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1772 wrote to memory of 4472 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4580 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 2952 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2952 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1980768e-79e2-4162-a458-40a53d52fbe0.uuid.dumppage.org udp
US 8.8.8.8:53 server7.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server7.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.111:443 server7.dumppage.org tcp
BG 185.82.216.111:443 server7.dumppage.org tcp
BG 185.82.216.111:443 server7.dumppage.org tcp

Files

memory/3604-1-0x0000000002A40000-0x0000000002E3D000-memory.dmp

memory/3604-2-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/3604-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/936-4-0x00000000749EE000-0x00000000749EF000-memory.dmp

memory/936-5-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

memory/936-6-0x00000000055A0000-0x0000000005BCA000-memory.dmp

memory/936-7-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/936-8-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/936-9-0x00000000054E0000-0x0000000005502000-memory.dmp

memory/936-10-0x0000000005CC0000-0x0000000005D26000-memory.dmp

memory/936-11-0x0000000005D30000-0x0000000005D96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_au2je5b2.5ca.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/936-20-0x0000000005DA0000-0x00000000060F7000-memory.dmp

memory/936-21-0x0000000006270000-0x000000000628E000-memory.dmp

memory/936-22-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/936-23-0x00000000066B0000-0x00000000066F6000-memory.dmp

memory/936-25-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/936-35-0x00000000076E0000-0x00000000076FE000-memory.dmp

memory/936-26-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/936-24-0x00000000076A0000-0x00000000076D4000-memory.dmp

memory/936-37-0x0000000007700000-0x00000000077A4000-memory.dmp

memory/936-36-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/936-38-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/936-39-0x0000000007E70000-0x00000000084EA000-memory.dmp

memory/936-40-0x0000000007820000-0x000000000783A000-memory.dmp

memory/936-41-0x0000000007860000-0x000000000786A000-memory.dmp

memory/936-42-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/936-43-0x0000000007880000-0x0000000007891000-memory.dmp

memory/936-44-0x00000000078D0000-0x00000000078DE000-memory.dmp

memory/936-45-0x00000000078E0000-0x00000000078F5000-memory.dmp

memory/936-46-0x0000000007930000-0x000000000794A000-memory.dmp

memory/936-47-0x0000000007960000-0x0000000007968000-memory.dmp

memory/936-50-0x00000000749E0000-0x0000000075191000-memory.dmp

memory/2948-52-0x0000000002A50000-0x0000000002E51000-memory.dmp

memory/1336-61-0x00000000062B0000-0x0000000006607000-memory.dmp

memory/1336-62-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/1336-63-0x0000000070E80000-0x00000000711D7000-memory.dmp

memory/1336-72-0x0000000007A70000-0x0000000007B14000-memory.dmp

memory/1336-73-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/3604-75-0x0000000002A40000-0x0000000002E3D000-memory.dmp

memory/3604-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1336-76-0x0000000007DE0000-0x0000000007DF5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 40ebbd960afbc96f10317ea0c72059fc
SHA1 fc1259220cbc13bb206c0116ca033e1db5eed754
SHA256 6e4e4b51251a5ada2fc67c5c76c3253963a129b778d537331355e6749e1ac457
SHA512 0a0e5f8e7162f87101284f1916cc9ed404069e0f6a08c2a6e80972b551f92e8092aeb6c2a1ea4625433d2fb35c4bc3d0f13162d2bbe0d51f41330211d6fcb60b

memory/1624-89-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/1624-90-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/4848-108-0x0000000005E30000-0x0000000006187000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d729a6142b38a726353969d60040277f
SHA1 679463b3273f505bfdb9004d157e61bee81ecb8e
SHA256 96a5fc844161942b1398c2d661639ccd3687bd0cd3dbe8a91979d3f3886db623
SHA512 ae4305eb7e216c5880538fe120e83f1c8051c1a68a4214ef1ca3c76a3ca5ec79ba3df174a45f874b72d2a2d5b3aeb2b543e7afb2f93a510d8615992a7613e090

memory/4848-110-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/4848-111-0x0000000070E60000-0x00000000711B7000-memory.dmp

memory/3604-120-0x0000000002E40000-0x000000000372B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0e79a5e89c95642a0079fcc633194cf9
SHA1 1a1193cd1e59825438c6702f14afbad40156d1f8
SHA256 603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459
SHA512 f2829d3a06f1dc9c0889c79b86145a6a45a6b4bf0502c358502fdd3f60fd0ba8a323754f4381729e4bd7931fd1ec227cb5231cf4f114bdcfff28253a46ff25c0

memory/2948-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72988d640ac0e2707a2d09004c690ca2
SHA1 aa6b24e73f4499d32795b1832465ce45a050ff50
SHA256 2ce864b1e54f104d6d803fa9c8af8a0fab09321d9a9994b725fb8bf9e01abf9c
SHA512 b097c4c31fd826172cc2f2fe8f35dc8659f4d7ac8937c9802804da8b938c8bf8a8d964388415d291f24f3891709cc9ce8e450236085cef92839b8398802c9737

memory/2116-138-0x0000000070DD0000-0x0000000071127000-memory.dmp

memory/2116-137-0x0000000070C50000-0x0000000070C9C000-memory.dmp

memory/72-157-0x0000000006150000-0x00000000064A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f019c5e3b48ef6e1ae0a79306cfb23e8
SHA1 136241a053e7d97f0f47301b1a7a998ed396f541
SHA256 9530a6fa4a6c89354b375350fe683b7ee43959ea34729584ce5e3125999b3616
SHA512 709a333e28fa861d2a9c66d9f2605ffd0c54ce3fb684e2ab5677f9de48fedc538b1e75dfab5f22d7b59c67a4f8faf261938f41d1cbaf027deab8ebca6011716e

memory/72-159-0x0000000006750000-0x000000000679C000-memory.dmp

memory/72-160-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/72-161-0x0000000070D10000-0x0000000071067000-memory.dmp

memory/72-170-0x0000000007980000-0x0000000007A24000-memory.dmp

memory/72-171-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

memory/72-172-0x00000000064F0000-0x0000000006505000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0c54f7fc218c07265e9f9891124c21e7
SHA1 e49836ab23a4b4bde1a6e144c2489f16d8524ce0
SHA256 12752639c515fe43cda2d83c4d1cbe8732394250fee87d4ca8bc1f4c6f35818e
SHA512 4215469521861b0fc730a6f5c6319e669c59a8c5caa28469150300c0ad79ca4c77dd31edf0c27994fd4287269ae79908f0f7bacfdd6ff111bd8259351c976cb8

memory/4744-183-0x0000000070B70000-0x0000000070BBC000-memory.dmp

memory/4744-184-0x0000000070D10000-0x0000000071067000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1772-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4580-204-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5028-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4580-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-209-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5028-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5028-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1772-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-227-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1772-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:53

Reported

2024-05-16 17:56

Platform

win10v2004-20240426-en

Max time kernel

25s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\system32\cmd.exe
PID 4616 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\system32\cmd.exe
PID 4556 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4556 wrote to memory of 1240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4616 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 4616 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe C:\Windows\rss\csrss.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3220 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 3076 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1956 wrote to memory of 2412 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe

"C:\Users\Admin\AppData\Local\Temp\603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 08563da0-abdd-485a-b18c-f33ceaa7f594.uuid.dumppage.org udp

Files

memory/4700-1-0x00000000029C0000-0x0000000002DC6000-memory.dmp

memory/4700-2-0x0000000002DD0000-0x00000000036BB000-memory.dmp

memory/4700-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2424-4-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/2424-5-0x0000000002580000-0x00000000025B6000-memory.dmp

memory/2424-7-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/2424-6-0x0000000004C80000-0x00000000052A8000-memory.dmp

memory/2424-8-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/2424-9-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

memory/2424-10-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/2424-11-0x00000000054D0000-0x0000000005536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngw2z3nx.2my.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2424-21-0x0000000005640000-0x0000000005994000-memory.dmp

memory/2424-22-0x0000000005B50000-0x0000000005B6E000-memory.dmp

memory/2424-23-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/2424-24-0x00000000060F0000-0x0000000006134000-memory.dmp

memory/2424-25-0x0000000006E90000-0x0000000006F06000-memory.dmp

memory/2424-27-0x0000000006F30000-0x0000000006F4A000-memory.dmp

memory/2424-26-0x0000000007590000-0x0000000007C0A000-memory.dmp

memory/2424-30-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/2424-29-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/2424-28-0x00000000070F0000-0x0000000007122000-memory.dmp

memory/2424-31-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/2424-41-0x0000000007130000-0x000000000714E000-memory.dmp

memory/2424-42-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/2424-43-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/2424-44-0x0000000007240000-0x000000000724A000-memory.dmp

memory/2424-45-0x0000000007300000-0x0000000007396000-memory.dmp

memory/2424-46-0x0000000007260000-0x0000000007271000-memory.dmp

memory/2424-47-0x00000000072A0000-0x00000000072AE000-memory.dmp

memory/2424-48-0x00000000072B0000-0x00000000072C4000-memory.dmp

memory/2424-49-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/2424-50-0x00000000072F0000-0x00000000072F8000-memory.dmp

memory/2424-53-0x0000000074DF0000-0x00000000755A0000-memory.dmp

memory/4616-55-0x0000000002940000-0x0000000002D44000-memory.dmp

memory/4616-56-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/4996-66-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/4996-77-0x0000000006870000-0x0000000006913000-memory.dmp

memory/4996-67-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/4996-78-0x00000000077E0000-0x00000000077F1000-memory.dmp

memory/4996-79-0x0000000007830000-0x0000000007844000-memory.dmp

memory/4700-82-0x00000000029C0000-0x0000000002DC6000-memory.dmp

memory/4700-83-0x0000000002DD0000-0x00000000036BB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1728-90-0x0000000005610000-0x0000000005964000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a781efa028a8a65c265ceddae9bfb8a3
SHA1 fee88824c1fb9b3e8fe767651d7c4de6befa7a3f
SHA256 a9d6303b6b68cac8bcd36962d7e1015e2a2458797c69e06fe76924f00a192d6f
SHA512 536548b4643887a87727da865e2eb177169f18848bdd1c845356359ac891670f8d3910b5f7c75407b97be3d79b889e0560cf73e42178dcdf3b81c72e255db405

memory/1728-96-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/1728-97-0x0000000071410000-0x0000000071764000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 384854fe0bc11072972a47a90eaf5b1d
SHA1 65e6f7624e0eaa62ad10930690bcbb25d60da1f7
SHA256 17dd541cec08773dbff9d9ea40e31dbc282c712e0bd697ee7a37ac6a25fda359
SHA512 b9d6c113e06fef2c128adb25cbd9ad957007f9a1af16c403157da3b5ad8152b069fda681fe4b0577bdf9b8b59177df034f5fa7d5ef4de4c2fe69655ed93e6495

memory/3368-118-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/3368-119-0x0000000070E10000-0x0000000071164000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0e79a5e89c95642a0079fcc633194cf9
SHA1 1a1193cd1e59825438c6702f14afbad40156d1f8
SHA256 603f5b8997203105d6f555b8c6546d62c95b000811423494f738638de6368459
SHA512 f2829d3a06f1dc9c0889c79b86145a6a45a6b4bf0502c358502fdd3f60fd0ba8a323754f4381729e4bd7931fd1ec227cb5231cf4f114bdcfff28253a46ff25c0

memory/4616-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4700-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 89204f3ef52c3fa5a66d6183f6351a44
SHA1 41e9680c10546f665b31fd9e6d743f93c555ad27
SHA256 1d742133fe577c0c2a329717202c3ce8fd433dfb1443360e004b2eb244ba51d2
SHA512 0ca1f4ffa6c513eff1859f7360f3856bb9e0e78891aaeb4a83e1f677d8a6148f1d48b0511778e8b4963fe2a39f54744d96f8d4559af98b0ea97e3bfce0260381

memory/4256-147-0x0000000070C90000-0x0000000070CDC000-memory.dmp

memory/4256-148-0x0000000070E10000-0x0000000071164000-memory.dmp

memory/3220-161-0x0000000005510000-0x0000000005864000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf818af2edf3a4e37f7e211b6d853119
SHA1 e160d464f51c983408efc6714283a628747e1fe3
SHA256 4f27005f1376e780d380f5ca1d1cb910133906a00f4ae0730aa8d0c021d47e5f
SHA512 4532ba5ff5ef717e21a1eea0a36c929719145a4629cc98bdd85fbc24f9a0930b9ba9f469984fc3a04c5661aa21a5abd785176758ae2dcd4d8619ec3dede586c5

memory/3220-170-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/3220-171-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

memory/3220-172-0x0000000071340000-0x0000000071694000-memory.dmp

memory/3220-182-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/3220-183-0x0000000007150000-0x0000000007161000-memory.dmp

memory/3220-184-0x00000000059F0000-0x0000000005A04000-memory.dmp

memory/3076-195-0x0000000005740000-0x0000000005A94000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 411c68af7685378a404c3c63120103bd
SHA1 ae4bd228a13f4a1e8e275df980237ca7c5e4bfb6
SHA256 68a32b06f68bfd5cca6aa680518219f9b359cf83d82de77b260edc427684e0ea
SHA512 71fef9f6b7d3d35c4288e141279c5f57c069641127c7cd3d424a8a68e9aaa270b2e5610fbb30554a45d3d8ee553ab4bd788d8c93c35b89e29aa6e41de88eef60

memory/3076-198-0x0000000070D30000-0x0000000071084000-memory.dmp

memory/3076-197-0x0000000070BB0000-0x0000000070BFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1956-215-0x0000000000400000-0x0000000000D1C000-memory.dmp