Malware Analysis Report

2024-11-13 19:44

Sample ID 240517-h2j8kafc59
Target 266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18
SHA256 266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18

Threat Level: Known bad

The file 266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18 was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 07:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 07:13

Reported

2024-05-17 07:14

Platform

win11-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 07:13

Reported

2024-05-17 07:16

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\system32\cmd.exe
PID 3384 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3384 wrote to memory of 1084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1068 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\rss\csrss.exe
PID 1068 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\rss\csrss.exe
PID 1068 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe C:\Windows\rss\csrss.exe
PID 1364 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 1492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 3832 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1364 wrote to memory of 4668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1364 wrote to memory of 4668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2328 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2672 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2672 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe

"C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe

"C:\Users\Admin\AppData\Local\Temp\266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 185.61.62.23.in-addr.arpa udp
NL 23.62.61.185:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 437f7a52-72d6-4409-b506-5e8f87d31255.uuid.theupdatetime.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server2.theupdatetime.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.108:443 server2.theupdatetime.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/2900-1-0x00000000047F0000-0x0000000004BED000-memory.dmp

memory/2900-2-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4328-5-0x000000007429E000-0x000000007429F000-memory.dmp

memory/4328-6-0x00000000048D0000-0x0000000004906000-memory.dmp

memory/2900-4-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/4328-7-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/4328-8-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-9-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-10-0x0000000004FE0000-0x0000000005002000-memory.dmp

memory/4328-12-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4328-11-0x00000000056C0000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dy5rr2fw.lgl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4328-22-0x0000000005860000-0x0000000005BB4000-memory.dmp

memory/4328-23-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

memory/4328-24-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/4328-25-0x0000000006410000-0x0000000006454000-memory.dmp

memory/4328-26-0x00000000071D0000-0x0000000007246000-memory.dmp

memory/4328-27-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/4328-28-0x0000000007270000-0x000000000728A000-memory.dmp

memory/4328-30-0x0000000070130000-0x000000007017C000-memory.dmp

memory/4328-31-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-29-0x0000000007430000-0x0000000007462000-memory.dmp

memory/4328-42-0x0000000007470000-0x000000000748E000-memory.dmp

memory/4328-32-0x0000000070700000-0x0000000070A54000-memory.dmp

memory/4328-43-0x0000000007490000-0x0000000007533000-memory.dmp

memory/4328-44-0x0000000007580000-0x000000000758A000-memory.dmp

memory/4328-45-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-46-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-47-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/4328-48-0x0000000007640000-0x00000000076D6000-memory.dmp

memory/4328-49-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/4328-50-0x00000000075E0000-0x00000000075EE000-memory.dmp

memory/4328-51-0x00000000075F0000-0x0000000007604000-memory.dmp

memory/4328-52-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/4328-53-0x0000000007620000-0x0000000007628000-memory.dmp

memory/4328-56-0x0000000074290000-0x0000000074A40000-memory.dmp

memory/2900-58-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2900-59-0x00000000047F0000-0x0000000004BED000-memory.dmp

memory/2900-60-0x0000000004BF0000-0x00000000054DB000-memory.dmp

memory/3984-61-0x00000000055B0000-0x0000000005904000-memory.dmp

memory/3984-71-0x0000000070130000-0x000000007017C000-memory.dmp

memory/3984-72-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/3984-82-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/3984-83-0x0000000007120000-0x0000000007131000-memory.dmp

memory/2900-85-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1068-84-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3984-86-0x0000000007170000-0x0000000007184000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b771207bcbd08c84e55278e8a069c9c
SHA1 a7bc2260b6eacc507c614245e565f44cad1bbbd1
SHA256 64a0ccb7beb1abf99f17ca67210db8d3b08f5537339b4bd21cd0060d9f7dac5a
SHA512 e026cdc7a4aaf54eadcea9d6de1a7f236c83843eb3317aeb946258cd491bdb89324a3dcc7f6f82488405b65ce6bb0e97d0ede3c57338d73f694498e5961be796

memory/3220-100-0x0000000070130000-0x000000007017C000-memory.dmp

memory/3220-101-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/4352-122-0x0000000006280000-0x00000000065D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dadb9615ad0f591c94f84ea3d0acd38e
SHA1 6ed9ffd50cb3b703776c880225ea034f2ed8a48f
SHA256 0480ddd399effede886158e57bbc7af64952dde5f2fd65f8010b891e3eba8790
SHA512 c03865868428e93ce7286d1c0992d40759b32c625bb183fbad52751c62aa70db45b3fb45202c92e15af8a63d7b0bcacaf153a8f084a41077b94c946068ca96fa

memory/4352-125-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/4352-124-0x0000000070130000-0x000000007017C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 15879fcee8ee493410204328531717d2
SHA1 ce9733eedc5c225f41a6f52bd514402e026eff58
SHA256 266d68ac2aa7138fb6d8078e8c059fbb5204bb33160ae3e089258598a7895c18
SHA512 f97d93e4fcfece5ccbeb98bf27a54c9d7e381e107fed0b9484f452c6d2fffd214a7358c31b8debeb79982fc25917ea7495c03e28ff56b11072246f31501ba100

memory/1068-141-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c6fa228c83375197969989748bf2a64b
SHA1 34e95a09062085848a378dee249438b641903260
SHA256 a441da2854b0e72edfa97892ef8f7033853494a9f3fa74e5458e6cf504cbd177
SHA512 a7f4153f25fcbf5f008841a06f7eccbe3b85785aa1400b821f804e741a19780f69da2cc603c9b20a39819e497b642ee7319f1ac7337be1c7ea1bc20670056b0d

memory/1492-155-0x00000000702B0000-0x0000000070604000-memory.dmp

memory/1492-154-0x0000000070130000-0x000000007017C000-memory.dmp

memory/1364-153-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3832-175-0x0000000005C50000-0x0000000005FA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 387b99b8ac43c3adc5ba6fa07e22be4f
SHA1 cfdf8ced4641b0938ad5d8d68e273a7f10cddf9a
SHA256 34198bad9c1d7bd7d2ed3ce5e54281e0628cc73401a77819e1101149e7515ab6
SHA512 ed92028c4af31ca612e6e4ef28d751ab084050ea054d9b37169c690c2324a64d031061f66ba5137273145a0b22a1b09a0be1158d1c32a35bc7df76922c3ccee0

memory/3832-178-0x0000000006340000-0x000000000638C000-memory.dmp

memory/3832-180-0x0000000070760000-0x0000000070AB4000-memory.dmp

memory/3832-190-0x0000000007540000-0x00000000075E3000-memory.dmp

memory/3832-179-0x0000000070050000-0x000000007009C000-memory.dmp

memory/3832-191-0x0000000007850000-0x0000000007861000-memory.dmp

memory/3832-192-0x00000000060D0000-0x00000000060E4000-memory.dmp

memory/736-203-0x0000000005850000-0x0000000005BA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 887a1893751fedda79fc92c9cb3976e3
SHA1 b291beebb1553f689c809dc869baf20532ee9827
SHA256 12c28b42912b4b8399e25b9d2de401dc08359dd019b1aeb34837b3f063c17c6f
SHA512 52563442cf6f7034af3bc25b671ff0e08e42dc1d60f8c579ce9621c8de201298c9dde4815867a121a8974ee4ace807becdf126bdacfd302b1e82e7b17001ef69

memory/736-207-0x00000000701D0000-0x0000000070524000-memory.dmp

memory/736-206-0x0000000070050000-0x000000007009C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1364-223-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2328-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2328-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1364-233-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2140-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1364-237-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1364-241-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2140-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1364-245-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1364-249-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1364-253-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2140-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1364-257-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1364-261-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1364-265-0x0000000000400000-0x0000000002B0C000-memory.dmp