Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lv1thsch42
Target 779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07
SHA256 779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07

Threat Level: Known bad

The file 779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:51

Reported

2024-05-17 09:54

Platform

win10v2004-20240426-en

Max time kernel

8s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65ae162d-809b-4fa5-b3c2-ac3167a35103.uuid.dumperstats.org udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server8.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server8.dumperstats.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server8.dumperstats.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.111:443 server8.dumperstats.org tcp

Files

memory/464-1-0x0000000004870000-0x0000000004C6F000-memory.dmp

memory/464-2-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/464-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-4-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/4936-5-0x00000000026C0000-0x00000000026F6000-memory.dmp

memory/4936-7-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4936-6-0x0000000004EA0000-0x00000000054C8000-memory.dmp

memory/4936-8-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4936-10-0x00000000055C0000-0x0000000005626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nkmbgqtg.anx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-11-0x0000000005630000-0x0000000005696000-memory.dmp

memory/4936-21-0x0000000005930000-0x0000000005C84000-memory.dmp

memory/4936-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

memory/4936-22-0x0000000005D00000-0x0000000005D1E000-memory.dmp

memory/4936-23-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/4936-24-0x00000000062A0000-0x00000000062E4000-memory.dmp

memory/4936-25-0x0000000007040000-0x00000000070B6000-memory.dmp

memory/4936-27-0x00000000070E0000-0x00000000070FA000-memory.dmp

memory/4936-26-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/4936-31-0x0000000070D00000-0x0000000071054000-memory.dmp

memory/4936-30-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/4936-43-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4936-44-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/464-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4936-45-0x00000000073E0000-0x00000000073EA000-memory.dmp

memory/4936-42-0x00000000072F0000-0x0000000007393000-memory.dmp

memory/4936-46-0x00000000074A0000-0x0000000007536000-memory.dmp

memory/4936-47-0x0000000007400000-0x0000000007411000-memory.dmp

memory/4936-41-0x00000000072D0000-0x00000000072EE000-memory.dmp

memory/4936-29-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4936-48-0x0000000007440000-0x000000000744E000-memory.dmp

memory/4936-50-0x0000000007540000-0x000000000755A000-memory.dmp

memory/4936-51-0x0000000007490000-0x0000000007498000-memory.dmp

memory/4936-49-0x0000000007450000-0x0000000007464000-memory.dmp

memory/4936-54-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/464-56-0x0000000004870000-0x0000000004C6F000-memory.dmp

memory/464-57-0x0000000004C70000-0x000000000555B000-memory.dmp

memory/1832-58-0x0000000005C00000-0x0000000005F54000-memory.dmp

memory/1832-68-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/1832-69-0x0000000071300000-0x0000000071654000-memory.dmp

memory/1832-79-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/1832-80-0x00000000077A0000-0x00000000077B1000-memory.dmp

memory/1832-81-0x00000000077F0000-0x0000000007804000-memory.dmp

memory/464-83-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/464-82-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d676fccb6f63fc254d4ae3f669c4161
SHA1 79c945caff9257160f1139c79acf4d42d6d267d1
SHA256 2349487749c3b7d6b7c9710512536117c34f234dc46463df6396bf7323d6f60a
SHA512 86dca15ca6f376edd14057ecd0119e8940b20a695321f3b53e711517799e3725d9c76df1fbc23f868024c362c0b017f82f53d20311508a2f4895f8c40d9b2e16

memory/220-98-0x0000000071300000-0x0000000071654000-memory.dmp

memory/220-97-0x0000000070B80000-0x0000000070BCC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d7debb7667e68d11eb13ebfb51f513bb
SHA1 0e95b5c62360b223ee5dca62996ff32c2070fd06
SHA256 7990e5848cf0bd619bef2f27d387d230de7597fac5871052530cba73373aa5e7
SHA512 c2d8796b653ac9f14566c80e4bd7a7f83ceb13e76e7b177c5f07e37674ef69ac0736d4c93306b0812af59303577553fd2eab72782d4fc0300d5697bfbc17a22c

memory/2300-121-0x0000000070D00000-0x0000000071054000-memory.dmp

memory/2300-120-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/3988-119-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 da8311138cb27dff061c9baf5792f0b5
SHA1 27380810d050b1b136ffd86792420c67fb637ac6
SHA256 779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07
SHA512 c24ccd11c22ebd264ae686ce9ae80ad7e18c1523d7a2b99c684517bbab7780686b779fca4355ca7d5a740b51e4cfe3484a6e5ce2bbc677d28dac187d9c109112

memory/3988-136-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 925d46ecdb9ed58c439fa111cb157bd1
SHA1 10ba30b0a4f55e4c6d2fae1e138f4242f912f183
SHA256 01ef5159138967c335405af5c1c213854fb9e58fde3693656eb0b3284f8cb063
SHA512 44b4d1d1f32610acad32e7516d82693a3ee492731e0403d4ba261d396bf4f38c9e1e63ed8e7458e25f7f9d2b6c56201f02032402dcaa15e7012face6c919542e

memory/4500-150-0x0000000071300000-0x0000000071654000-memory.dmp

memory/4500-149-0x0000000070B80000-0x0000000070BCC000-memory.dmp

memory/2220-170-0x00000000061F0000-0x0000000006544000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3928cb74b206da7d697e9f748b02f9ae
SHA1 bac78cc85a6a84cfeca2ab54671bc818ae46feff
SHA256 9dfdb0476bcf18dcd78401ca5052eba564ef2b81eb9b33c1482fe13466d1d27e
SHA512 a1c1498ec314b6c5d5bd50f505408436545360f788e2ad2f4b6799fac07301b6391b2b4a2dc3026eafb43349a027a2208979fcf8e5567e0386a5685afae1208e

memory/2220-172-0x0000000006950000-0x000000000699C000-memory.dmp

memory/2220-174-0x0000000071250000-0x00000000715A4000-memory.dmp

memory/2220-184-0x0000000007B60000-0x0000000007C03000-memory.dmp

memory/2220-173-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

memory/2220-185-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

memory/2220-186-0x00000000066B0000-0x00000000066C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b1c4f89f43b29d20125914561955998
SHA1 d9f9f9b3fbf66ca33ede382f42d8e9d509038f81
SHA256 e960820e8ea3df66da3a0faf506939da69b77a36765de681682fee0331a2730e
SHA512 95eb694f33e1db644416065f2fe6345837ef2c865bbc17efe3cf865bdb609bc4f8a1c29c28fde2a0493436429c228097e7e409dbf1b15307a8b30bcffc1ba002

memory/2436-197-0x00000000058D0000-0x0000000005C24000-memory.dmp

memory/2436-200-0x0000000070C40000-0x0000000070F94000-memory.dmp

memory/2436-199-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/996-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4892-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/116-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4892-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/996-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/116-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/996-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/116-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/996-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/116-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/996-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-252-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/996-255-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:51

Reported

2024-05-17 09:54

Platform

win11-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2332 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\system32\cmd.exe
PID 1724 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\system32\cmd.exe
PID 3088 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3088 wrote to memory of 456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1724 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\rss\csrss.exe
PID 1724 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\rss\csrss.exe
PID 1724 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe C:\Windows\rss\csrss.exe
PID 1296 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 1064 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3468 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1296 wrote to memory of 3868 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1296 wrote to memory of 3868 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1152 wrote to memory of 3900 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3900 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 3900 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3900 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3900 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe

"C:\Users\Admin\AppData\Local\Temp\779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 78846311-4656-4ed6-8849-ce33caf7706a.uuid.dumperstats.org udp
US 8.8.8.8:53 server16.dumperstats.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.111:443 server16.dumperstats.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server16.dumperstats.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.111:443 server16.dumperstats.org tcp
BG 185.82.216.111:443 server16.dumperstats.org tcp

Files

memory/2332-1-0x0000000004950000-0x0000000004D58000-memory.dmp

memory/2332-2-0x0000000004D60000-0x000000000564B000-memory.dmp

memory/2332-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5116-4-0x000000007418E000-0x000000007418F000-memory.dmp

memory/5116-5-0x00000000051B0000-0x00000000051E6000-memory.dmp

memory/5116-6-0x0000000005940000-0x0000000005F6A000-memory.dmp

memory/5116-7-0x0000000074180000-0x0000000074931000-memory.dmp

memory/5116-8-0x00000000057D0000-0x00000000057F2000-memory.dmp

memory/5116-10-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/5116-9-0x0000000005F70000-0x0000000005FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ipsgtxfd.yeh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5116-16-0x0000000074180000-0x0000000074931000-memory.dmp

memory/5116-20-0x00000000061C0000-0x0000000006517000-memory.dmp

memory/5116-21-0x0000000006660000-0x000000000667E000-memory.dmp

memory/5116-22-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/5116-23-0x0000000006C20000-0x0000000006C66000-memory.dmp

memory/5116-25-0x0000000007A70000-0x0000000007AA4000-memory.dmp

memory/5116-27-0x0000000070600000-0x0000000070957000-memory.dmp

memory/5116-36-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

memory/5116-37-0x0000000007AF0000-0x0000000007B94000-memory.dmp

memory/2332-24-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/5116-38-0x0000000074180000-0x0000000074931000-memory.dmp

memory/5116-39-0x0000000074180000-0x0000000074931000-memory.dmp

memory/5116-26-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/5116-41-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/5116-40-0x0000000008260000-0x00000000088DA000-memory.dmp

memory/5116-42-0x0000000007C60000-0x0000000007C6A000-memory.dmp

memory/5116-43-0x0000000007D70000-0x0000000007E06000-memory.dmp

memory/5116-44-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/5116-45-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

memory/5116-46-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

memory/5116-47-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/5116-48-0x0000000007D50000-0x0000000007D58000-memory.dmp

memory/5116-51-0x0000000074180000-0x0000000074931000-memory.dmp

memory/2332-54-0x0000000004950000-0x0000000004D58000-memory.dmp

memory/2332-55-0x0000000004D60000-0x000000000564B000-memory.dmp

memory/2332-53-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4036-56-0x0000000005A60000-0x0000000005DB7000-memory.dmp

memory/2332-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4036-66-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4036-67-0x0000000070640000-0x0000000070997000-memory.dmp

memory/4036-76-0x0000000007180000-0x0000000007224000-memory.dmp

memory/4036-77-0x00000000074D0000-0x00000000074E1000-memory.dmp

memory/4036-78-0x0000000007520000-0x0000000007535000-memory.dmp

memory/1724-79-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4656-91-0x0000000005910000-0x0000000005C67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f958d140aa67774e1b4c183d03320173
SHA1 c4b4f9c8374685709c097247763d437b38686533
SHA256 c7aabcef4af6245fe69ff4827e1177e93b0360da72834c2614ccd5c7e7dfcb9e
SHA512 ecc8604139c24f61f734a8870bb7e8a0d0e51e95b03ba2d15307475787050ccac326779f32712380357fa3c92971d2a637880df521551dc9f59f89862895d922

memory/4656-94-0x0000000070590000-0x00000000708E7000-memory.dmp

memory/4656-93-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/1084-113-0x0000000006320000-0x0000000006677000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5ca1907af9728a1716dcce20eddb7f09
SHA1 60156bac40c178e21a60d606d5a8f7e3457cf630
SHA256 ac06b99610e70cea89ca9ff209889528ebc36a9a304261b7261edc88fd93e7c2
SHA512 6b32acd7a4decb14c9a7aceafaa225d3cb5a4617a015342e5220ec642b25a1ce21252971d427700443ebc448288fa7de09c2465d867720389c7974fb626bed19

memory/1084-115-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/1084-116-0x0000000070570000-0x00000000708C7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 da8311138cb27dff061c9baf5792f0b5
SHA1 27380810d050b1b136ffd86792420c67fb637ac6
SHA256 779219955e5296b63d6c2fc43d45bf2e2da8aa0875e1ac90e147a5b8f5867d07
SHA512 c24ccd11c22ebd264ae686ce9ae80ad7e18c1523d7a2b99c684517bbab7780686b779fca4355ca7d5a740b51e4cfe3484a6e5ce2bbc677d28dac187d9c109112

memory/1724-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02ca27cabead86d4e985889fe85bf6a3
SHA1 158c371bad90b7e662f866c38e375fad2e9d4349
SHA256 93dee429b759892226b13782279da34caa9375da82c1ca7e216600b3bb764a71
SHA512 8832ea16b4c0a1e66fa5e8adad6c3bbb1d104a5588a68ccfa8209c91ab86a561107e1afeebddb0035f92204aaee72b4a09396aaccf2696a27330c234ac32f738

memory/1064-142-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/1064-143-0x0000000070570000-0x00000000708C7000-memory.dmp

memory/1296-152-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3892-162-0x00000000057B0000-0x0000000005B07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e1f21abbdd89d4d805ed0761c65ba788
SHA1 b877377ec48040c37c493bc42d08cb0350b4bdfe
SHA256 4360022307ce7b31363b97ecdb1247233fde721acb96c5288e1f24166963be5e
SHA512 87f98fdf0872ad4d0fb174e82fb74391df7d33d41c3e3cf7b89d645600c9e99d2ca9d055f828793a553bbd649330c0c9de164176555c11ad4dfbc79b042edd6d

memory/3892-164-0x0000000005D60000-0x0000000005DAC000-memory.dmp

memory/3892-166-0x0000000070520000-0x0000000070877000-memory.dmp

memory/3892-165-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3892-175-0x0000000006F70000-0x0000000007014000-memory.dmp

memory/3892-176-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/3892-177-0x00000000056B0000-0x00000000056C5000-memory.dmp

memory/3468-180-0x0000000005B70000-0x0000000005EC7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57e3acf7db4924c9276d25080f4d10ab
SHA1 d1abb1b2079078845826f0e0f3f3ce0b5430279c
SHA256 475904a56226c6ddbab26f91b4d839b938b7a5abd3a6b2cb5920ef6e767c9fcb
SHA512 371634e214cc663c4b2914b2c6b149f268a86b62f793aa7c54aba0473a81d359f6f924a13702008a4d6c857f29b9e05db9faa2c12e1a8fed6101daa26397e810

memory/3468-190-0x0000000070310000-0x000000007035C000-memory.dmp

memory/3468-191-0x0000000070560000-0x00000000708B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1296-206-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1152-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4628-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1152-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1296-217-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4628-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1296-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4628-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1296-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-229-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1296-241-0x0000000000400000-0x0000000002B0D000-memory.dmp