Malware Analysis Report

2024-11-13 19:42

Sample ID 240517-qm63saad5y
Target 725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302
SHA256 725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302

Threat Level: Known bad

The file 725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win10v2004-20240426-en

Max time kernel

12s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2316 -ip 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 d4e8f1dd-2d69-4703-bc86-a7d7ae3d8a33.uuid.theupdatetime.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server7.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2020-1-0x00000000048F0000-0x0000000004CF0000-memory.dmp

memory/2020-2-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/2020-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2532-4-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

memory/2532-5-0x0000000004B90000-0x0000000004BC6000-memory.dmp

memory/2532-6-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2532-7-0x00000000052F0000-0x0000000005918000-memory.dmp

memory/2532-8-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2532-9-0x0000000005190000-0x00000000051B2000-memory.dmp

memory/2532-10-0x0000000005990000-0x00000000059F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2zkirdl.jwe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2532-11-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/2532-21-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

memory/2532-22-0x0000000006140000-0x000000000615E000-memory.dmp

memory/2532-23-0x0000000006190000-0x00000000061DC000-memory.dmp

memory/2532-24-0x00000000066C0000-0x0000000006704000-memory.dmp

memory/2532-25-0x0000000007270000-0x00000000072E6000-memory.dmp

memory/2532-26-0x0000000007BA0000-0x000000000821A000-memory.dmp

memory/2532-27-0x0000000007520000-0x000000000753A000-memory.dmp

memory/2532-29-0x00000000076C0000-0x00000000076F2000-memory.dmp

memory/2532-30-0x0000000070E30000-0x0000000070E7C000-memory.dmp

memory/2532-42-0x0000000007720000-0x00000000077C3000-memory.dmp

memory/2532-43-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2532-41-0x0000000007700000-0x000000000771E000-memory.dmp

memory/2532-44-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2532-31-0x00000000713E0000-0x0000000071734000-memory.dmp

memory/2020-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2532-45-0x0000000007810000-0x000000000781A000-memory.dmp

memory/2532-46-0x00000000078D0000-0x0000000007966000-memory.dmp

memory/2532-47-0x0000000007830000-0x0000000007841000-memory.dmp

memory/2532-48-0x0000000007870000-0x000000000787E000-memory.dmp

memory/2532-49-0x0000000007880000-0x0000000007894000-memory.dmp

memory/2532-50-0x0000000007970000-0x000000000798A000-memory.dmp

memory/2532-51-0x00000000078C0000-0x00000000078C8000-memory.dmp

memory/2532-54-0x0000000074F90000-0x0000000075740000-memory.dmp

memory/2020-58-0x0000000004CF0000-0x00000000055DB000-memory.dmp

memory/2020-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2020-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3868-68-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/3868-69-0x00000000067B0000-0x00000000067FC000-memory.dmp

memory/3868-71-0x00000000710B0000-0x0000000071404000-memory.dmp

memory/3868-81-0x0000000007970000-0x0000000007A13000-memory.dmp

memory/3868-70-0x0000000070F30000-0x0000000070F7C000-memory.dmp

memory/3868-82-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/3868-83-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 66b5e49902569a0c982103fd4484c540
SHA1 65729cc8a513c65a224734e03874b6a31e98ac0c
SHA256 548fbf5b684adaf7142b64f4001adc6a0ecdcf254c1d7e60a1d906a6ea296f2a
SHA512 a97b58cf888071d6f53fb2d23eb94c6abc0abecd7356eb494cdbe0661c5f4ed3600e965b696b3c67e25c9647e162ed2885491f21b8c1e3826ba2096075bccfdb

memory/3680-96-0x0000000005980000-0x0000000005CD4000-memory.dmp

memory/3680-99-0x0000000071950000-0x0000000071CA4000-memory.dmp

memory/3680-98-0x0000000070F30000-0x0000000070F7C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 15d5391166b661a5037ddf62400ff320
SHA1 70445935ea0d77a1ba69eadd246b69f38adfa730
SHA256 a8dba8ddff0bb111208081d0f385696516d61bdf501cfebe418c6f014f2fd627
SHA512 478b1e1f3f179020c1f72ae81cda895f9c312b970b5db2d6eaa50ef088f83088f5fc05cc47c0f5d0144fb164c5e25ecdcba4a80665f653b505bbfe37952b1036

memory/1608-116-0x0000000005570000-0x00000000058C4000-memory.dmp

memory/1608-122-0x0000000071D00000-0x0000000072054000-memory.dmp

memory/1608-121-0x0000000070F30000-0x0000000070F7C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6eebae55d2d06a28d9511c0c3a8aeb17
SHA1 723a2403a71e757bcb0c39bf4815ec1c58eb4fa6
SHA256 725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302
SHA512 771d67900d3eb075a133ecd7e6032b415aec7810afe0f78976daa3cd77e8f12b9f4ebc625742273a835e5eb2455ae69219a5ba4227d4130c9baf0c8786b04f0f

memory/2316-138-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/964-148-0x00000000058A0000-0x0000000005BF4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9fb8015b9ed46bfe0c471c6a869864a6
SHA1 2de327d5526b15b874929e295bd2157d99f4441e
SHA256 af06dc2610f020e16b0547050a1cb5a170f72e2826d907fd0a48a30e6139a0ce
SHA512 376504b4dd14c6fbb90fe0c8b06c42e1c5a5b7cd48d025ed66b79436491b1fabd98bb2e8f91a3357ef1bd5d083c4760be3c5a6a57c0725f50c3852f52564eb11

memory/964-150-0x0000000006240000-0x000000000628C000-memory.dmp

memory/964-151-0x0000000070E90000-0x0000000070EDC000-memory.dmp

memory/964-162-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/964-152-0x0000000071010000-0x0000000071364000-memory.dmp

memory/964-163-0x0000000007260000-0x0000000007271000-memory.dmp

memory/964-164-0x00000000057B0000-0x00000000057C4000-memory.dmp

memory/4408-168-0x00000000057B0000-0x0000000005B04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9458ca0425560917a8da105a4f1c6f72
SHA1 591f378c910d978e214c59da57ad7f36513d4c06
SHA256 1b39fa9c161a1b31f74ae655d4a79207717d48062a7ef663fb29f8d8cab4d2fa
SHA512 55766fa36bff73cc870649af22832be604690efa085805017bceb1b4330be4d55e4c65c765c124619460733969d87dcf4fa34d30be9432d4e887aafbdbcb463d

memory/4408-177-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

memory/4408-178-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

memory/4408-179-0x0000000071540000-0x0000000071894000-memory.dmp

memory/4408-189-0x00000000070D0000-0x0000000007173000-memory.dmp

memory/4408-190-0x0000000007400000-0x0000000007411000-memory.dmp

memory/4408-191-0x0000000005C90000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 649a5545b6fdb1d980646461eb7dc83d
SHA1 6e57958cdef0d723b5f1e15cdcbdf8923335baf7
SHA256 cea03d577d8779bafc3c527d4da2fec3b977665122720bef2b4df000eafdee7c
SHA512 67f846c58cb9eabac5bc72a2b3f61648e879fac51b7c620267cff8876fccf0b4ab243549ae2a313a54e8a3fd236772e22a57cf9218fd09f1440805b1cb7fdb78

memory/1744-202-0x0000000005620000-0x0000000005974000-memory.dmp

memory/1744-205-0x0000000070F30000-0x0000000071284000-memory.dmp

memory/1744-204-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1152-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3908-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2460-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3908-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1152-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2460-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1152-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2460-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1152-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-245-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-247-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-248-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1152-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win11-20240419-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4140 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4140 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4140 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\system32\cmd.exe
PID 4132 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1860 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4132 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\rss\csrss.exe
PID 4132 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\rss\csrss.exe
PID 4132 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe C:\Windows\rss\csrss.exe
PID 1844 wrote to memory of 3564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3564 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4236 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 3288 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4628 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1844 wrote to memory of 4628 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2924 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1956 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1956 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1956 wrote to memory of 3356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe

"C:\Users\Admin\AppData\Local\Temp\725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 9c7bee68-49f2-4981-acdd-4a19060d685d.uuid.theupdatetime.org udp
US 8.8.8.8:53 server6.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server6.theupdatetime.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.108:443 server6.theupdatetime.org tcp
BG 185.82.216.108:443 server6.theupdatetime.org tcp

Files

memory/4140-1-0x00000000049B0000-0x0000000004DB2000-memory.dmp

memory/4140-2-0x0000000004DC0000-0x00000000056AB000-memory.dmp

memory/4140-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4460-4-0x000000007418E000-0x000000007418F000-memory.dmp

memory/4460-5-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

memory/4460-6-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4460-7-0x0000000005530000-0x0000000005B5A000-memory.dmp

memory/4460-8-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4460-9-0x00000000051F0000-0x0000000005212000-memory.dmp

memory/4460-10-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/4460-11-0x0000000005400000-0x0000000005466000-memory.dmp

memory/4460-12-0x0000000005B70000-0x0000000005EC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1lwelyz.ngo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4460-21-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/4460-22-0x00000000060E0000-0x000000000612C000-memory.dmp

memory/4460-23-0x0000000006650000-0x0000000006696000-memory.dmp

memory/4460-25-0x00000000074B0000-0x00000000074E4000-memory.dmp

memory/4460-27-0x0000000070640000-0x0000000070997000-memory.dmp

memory/4460-26-0x00000000703F0000-0x000000007043C000-memory.dmp

memory/4460-37-0x0000000007530000-0x00000000075D4000-memory.dmp

memory/4460-36-0x0000000007510000-0x000000000752E000-memory.dmp

memory/4460-38-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4140-24-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4460-39-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4460-41-0x0000000007660000-0x000000000767A000-memory.dmp

memory/4460-40-0x0000000007CA0000-0x000000000831A000-memory.dmp

memory/4460-42-0x00000000076A0000-0x00000000076AA000-memory.dmp

memory/4460-43-0x0000000007760000-0x00000000077F6000-memory.dmp

memory/4460-44-0x00000000076D0000-0x00000000076E1000-memory.dmp

memory/4460-45-0x0000000007710000-0x000000000771E000-memory.dmp

memory/4460-46-0x0000000007720000-0x0000000007735000-memory.dmp

memory/4460-47-0x0000000007820000-0x000000000783A000-memory.dmp

memory/4460-48-0x0000000007800000-0x0000000007808000-memory.dmp

memory/4460-51-0x0000000074180000-0x0000000074931000-memory.dmp

memory/4140-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4140-55-0x0000000004DC0000-0x00000000056AB000-memory.dmp

memory/4140-53-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2124-64-0x0000000005D50000-0x00000000060A7000-memory.dmp

memory/2124-65-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/2124-66-0x0000000070500000-0x000000007054C000-memory.dmp

memory/2124-67-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/2124-76-0x0000000007430000-0x00000000074D4000-memory.dmp

memory/2124-77-0x0000000007770000-0x0000000007781000-memory.dmp

memory/4132-78-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/2124-79-0x00000000077C0000-0x00000000077D5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4788-91-0x0000000006250000-0x00000000065A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6593b0c1db7bf36d51d94c3c2b25823c
SHA1 b6262dd07750a17bffd349f0423425772d9117c0
SHA256 6c701e86231472c41656114df144d8258f27c532df1e6f85d4cbbf727d172685
SHA512 8d63e502e0fadc9e3a6a1a7cec36c1cfd0408dc0f4a299c8298264a11ae40c2285099571b2468358845851d871aca2c121bfc56e858bc745e8d6230768dc8869

memory/4788-93-0x0000000070500000-0x000000007054C000-memory.dmp

memory/4788-94-0x0000000070690000-0x00000000709E7000-memory.dmp

memory/4216-106-0x0000000005960000-0x0000000005CB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dcca92e8614b6713f13811e9ab6de6ab
SHA1 5a36fb35e869eb21fcdf0f21922361e3d6b11b96
SHA256 5cc48e59fdcb5db5fbac4d8d9322314cbc1920d738abf622bd0390aa4f689c90
SHA512 7db98fc0135cab0b1fd483e47b30ca4d6fb6d7aa83fe5f3c79db4f255c4af5b45e75d7cfb7ea71d627e8b2011bf81c31919ca5494e249902ffa76a3a29bd9bd3

memory/4216-114-0x0000000070500000-0x000000007054C000-memory.dmp

memory/4216-115-0x0000000070750000-0x0000000070AA7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6eebae55d2d06a28d9511c0c3a8aeb17
SHA1 723a2403a71e757bcb0c39bf4815ec1c58eb4fa6
SHA256 725c46946e31fe8b44d708e7562b27bc437373bb269c6f9175adf53d1ec0f302
SHA512 771d67900d3eb075a133ecd7e6032b415aec7810afe0f78976daa3cd77e8f12b9f4ebc625742273a835e5eb2455ae69219a5ba4227d4130c9baf0c8786b04f0f

memory/4132-128-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3564-139-0x0000000005580000-0x00000000058D7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 85797edea0873a25910f88ba4f084b59
SHA1 c5f570ee17d06726f859ee36f2576d7f68ac6828
SHA256 9443768a2c942840bc563bac5dd5ec1d0150e23681e088031cd5b691573b72bf
SHA512 8cb8acecf20afeb7976db8e6d3ccd3fe44375f67026c8fd3d9ce2c7a4ff4fdf6e0bcc9b534d70891e440a0d09fe7714632589d9418f450ac18070ab28d3c5787

memory/3564-141-0x0000000005B20000-0x0000000005B6C000-memory.dmp

memory/3564-142-0x0000000070460000-0x00000000704AC000-memory.dmp

memory/3564-152-0x0000000006D50000-0x0000000006DF4000-memory.dmp

memory/3564-143-0x00000000705E0000-0x0000000070937000-memory.dmp

memory/3564-154-0x00000000070C0000-0x00000000070D1000-memory.dmp

memory/1844-153-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3564-155-0x0000000005450000-0x0000000005465000-memory.dmp

memory/4236-162-0x0000000006440000-0x0000000006797000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 877d18f9b584d788dc889aa6af3697b0
SHA1 41e8fc6dad57a3c6624613972c4771d668dd08d9
SHA256 aeff69d10342b9ac3f1923388600d0e15954165bbd4362092ac55eebc0a53f0e
SHA512 b97c6bc7619c428bd47c58973f8f8476f93f7eeb00706e8adf6cd29ad587f98bb565423bbdeaa95b11d1c1610968fee800d65c7d163b903a7e73220bcdd55a81

memory/4236-167-0x0000000006EF0000-0x0000000006F3C000-memory.dmp

memory/4236-168-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/4236-169-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/4236-178-0x0000000007C10000-0x0000000007CB4000-memory.dmp

memory/4236-179-0x0000000007F90000-0x0000000007FA1000-memory.dmp

memory/4236-180-0x00000000067C0000-0x00000000067D5000-memory.dmp

memory/3288-190-0x00000000054A0000-0x00000000057F7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9be6485b12932a1fa4b9de8e41fadf30
SHA1 bd292ea57a1f15ec7dfe776f41d847dfa12785f0
SHA256 4ff5d06d13aa084d473536be87f30544ccf8e1a81d5af7b1baf28c0d8e25327e
SHA512 41df42a1dc168b6d46848acd58a324565c8cc72225d25a776974d29f4718ca27ed0660257179aa9e603b253fa8fe9f1d17e8611a3858a5ff3d7f27f87207e552

memory/3288-192-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/3288-193-0x0000000070590000-0x00000000708E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1844-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2924-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1844-212-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/836-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2924-218-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/836-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1844-219-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/836-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1844-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-225-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-229-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1844-233-0x0000000000400000-0x0000000002B0D000-memory.dmp