Malware Analysis Report

2024-11-13 19:42

Sample ID 240517-qm8llsad51
Target c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb
SHA256 c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb
Tags
glupteba discovery dropper evasion execution loader persistence rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb

Threat Level: Known bad

The file c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion execution loader persistence rootkit upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Program crash

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 13:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3142 = "South Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4948 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4948 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\system32\cmd.exe
PID 3680 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3680 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\rss\csrss.exe
PID 4428 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\rss\csrss.exe
PID 4428 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe C:\Windows\rss\csrss.exe
PID 1756 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 4892 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 3068 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2736 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1756 wrote to memory of 5012 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 224 wrote to memory of 1148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1148 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1148 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1148 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 2548

C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 9a546de3-e8e4-4bfd-91de-74dd4dc5c6cc.uuid.filesdumpplace.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.filesdumpplace.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.96:443 server3.filesdumpplace.org tcp

Files

memory/4948-1-0x00000000048A0000-0x0000000004C9F000-memory.dmp

memory/4948-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4948-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3540-5-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/3540-6-0x000000007444E000-0x000000007444F000-memory.dmp

memory/3540-8-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/3540-7-0x0000000005310000-0x0000000005938000-memory.dmp

memory/4948-4-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3540-9-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/3540-10-0x0000000005260000-0x0000000005282000-memory.dmp

memory/3540-12-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/3540-11-0x0000000005A30000-0x0000000005A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsqd3ijd.avd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3540-22-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/3540-23-0x0000000006120000-0x000000000613E000-memory.dmp

memory/3540-24-0x0000000006170000-0x00000000061BC000-memory.dmp

memory/3540-25-0x0000000006680000-0x00000000066C4000-memory.dmp

memory/3540-26-0x0000000007450000-0x00000000074C6000-memory.dmp

memory/3540-27-0x0000000007B50000-0x00000000081CA000-memory.dmp

memory/3540-28-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/3540-30-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/3540-29-0x00000000076A0000-0x00000000076D2000-memory.dmp

memory/3540-31-0x00000000702E0000-0x000000007032C000-memory.dmp

memory/3540-32-0x0000000070460000-0x00000000707B4000-memory.dmp

memory/3540-42-0x00000000076E0000-0x00000000076FE000-memory.dmp

memory/3540-43-0x0000000007700000-0x00000000077A3000-memory.dmp

memory/3540-44-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/3540-45-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/4948-48-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4948-49-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4948-46-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1060-55-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/1060-60-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/1060-61-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/1060-62-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/1060-72-0x0000000007570000-0x0000000007613000-memory.dmp

memory/1060-73-0x0000000007980000-0x0000000007A16000-memory.dmp

memory/1060-74-0x00000000078A0000-0x00000000078B1000-memory.dmp

memory/1060-75-0x00000000078E0000-0x00000000078EE000-memory.dmp

memory/1060-76-0x00000000078F0000-0x0000000007904000-memory.dmp

memory/1060-77-0x0000000007930000-0x000000000794A000-memory.dmp

memory/1060-78-0x0000000007920000-0x0000000007928000-memory.dmp

memory/4428-81-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2304-83-0x0000000005520000-0x0000000005874000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 462e25903733778a16df25f09e831641
SHA1 ddb10a8130be7cafdc259321d6290d42fbee55e7
SHA256 ec8719613471c22495b57a5f387862b572ca9a6b7598fb0a6327c5cbbc7c2870
SHA512 bdc4addfe801ca61e5be9ad03c7f5219b0585b7e8260593de3ea2e635e6745254fbc3bc118dae2145d3a5b63e54f05d1331377b1cd4a01bb08e24bead85a36e5

memory/2304-94-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/2304-95-0x0000000070B80000-0x0000000070ED4000-memory.dmp

memory/1728-115-0x00000000064D0000-0x0000000006824000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 da2c2fc941e3c197f49e10e50afe18eb
SHA1 c6dec0d6c1fd2e44e1f6276069ae246d54a1cd89
SHA256 0388249bca656395dfabd7fefaab1f0b828ccde6e9554a276d0ca1e7a09e0faf
SHA512 e0ca4cf8d1d73a70c3a26e6673932a880830288d46744192a72564d5d2d7921b18cac65fe85ea6031b18bc43d8826f0b64ca4889ec632bf53870b9038edc7689

memory/1728-117-0x00000000703E0000-0x000000007042C000-memory.dmp

memory/1728-118-0x0000000070560000-0x00000000708B4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5f3d0bee1362c6d0a99faf39ef80c1dd
SHA1 aa6b423c2293a29d08922f9414e7b6f1eb3e21ff
SHA256 c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb
SHA512 fce68dc66174f9872477e5a04aa9dd88fe426ff1298449d8e5e901a035652555f848f7787676a08b06bc2e15758a5eed863fd9a7c708aed5acf3a1b007f835eb

memory/4428-133-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4892-144-0x0000000006480000-0x00000000067D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3919522250d975caef7a328b3bf7cd93
SHA1 2cca5900ed48faefadea35e98ba2ea5d640addeb
SHA256 ad446833b83fc41f451719ea4fc452b8c7972ae4694efa96b966f77ee7943b1a
SHA512 ab776a67287807e63e7057b9191f8c721a7e1af3fcdc19432283c86e4fb29131d4837161527b14b83d3f88f0c6bcf52d65580d97c64b3dfcff1ff3e654cd9f18

memory/4892-146-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/4892-148-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/4892-147-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4892-158-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/4892-159-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/1756-160-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4892-161-0x0000000006380000-0x0000000006394000-memory.dmp

memory/3068-172-0x0000000006440000-0x0000000006794000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8b916617041c9a8a5ec94e555fa4e610
SHA1 ede152c86b4b81d6236204ac92db1e9112d80013
SHA256 039db64b3a7067322ba9e641747b70587b2a59f6aa957f9d86ca8cb0473783f8
SHA512 6b3be3e2c163bfeab91ae3cb260b952a808787fdf202277ad7e0e49450f90330e62837b21cfa006d599e98d13b23d70b4cc1171451b45694deb8530cab980403

memory/3068-174-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/3068-175-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/3068-176-0x00000000703E0000-0x0000000070734000-memory.dmp

memory/3068-186-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/3068-187-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

memory/3068-188-0x0000000006350000-0x0000000006364000-memory.dmp

memory/2736-199-0x00000000062E0000-0x0000000006634000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5d61ba8cd57922aae6dcf19609bb1b1a
SHA1 a7425dfc5cc6a2c0c9d5b0db986fc0bbe5d290c7
SHA256 a7585c9aef1c8254f518990c452a30ebfd2885664548c6b1c8310d53ccc25dec
SHA512 6f7cc5a8ae0f2aa606f2fb1d63ef07c2fd2404b3440b43de3b26f56b33e77ddb48390b688339db0b188c0f4fe11dbf6f6875a7ad7601851ccf6c7ed19b966ffd

memory/2736-201-0x0000000070260000-0x00000000702AC000-memory.dmp

memory/2736-202-0x00000000709F0000-0x0000000070D44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1756-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/224-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4908-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/224-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4908-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-229-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4908-233-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1756-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-236-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1756-244-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 13:23

Reported

2024-05-17 13:26

Platform

win11-20240426-en

Max time kernel

5s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe

"C:\Users\Admin\AppData\Local\Temp\c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 37d97641-b878-43a6-949a-3770685b96e0.uuid.filesdumpplace.org udp
US 8.8.8.8:53 server9.filesdumpplace.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp
BG 185.82.216.96:443 server9.filesdumpplace.org tcp

Files

memory/4820-1-0x00000000048A0000-0x0000000004C9C000-memory.dmp

memory/4820-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4820-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4664-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/4664-5-0x00000000053E0000-0x0000000005416000-memory.dmp

memory/4664-6-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4664-7-0x0000000005B00000-0x000000000612A000-memory.dmp

memory/4664-8-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4664-9-0x00000000059F0000-0x0000000005A12000-memory.dmp

memory/4664-11-0x00000000061A0000-0x0000000006206000-memory.dmp

memory/4664-10-0x0000000005A90000-0x0000000005AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgxocvxc.wju.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4664-20-0x0000000006390000-0x00000000066E7000-memory.dmp

memory/4664-21-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/4664-22-0x00000000068E0000-0x000000000692C000-memory.dmp

memory/4664-23-0x0000000006E30000-0x0000000006E76000-memory.dmp

memory/4664-25-0x0000000070930000-0x000000007097C000-memory.dmp

memory/4664-24-0x0000000007CD0000-0x0000000007D04000-memory.dmp

memory/4664-27-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4664-37-0x0000000007D30000-0x0000000007DD4000-memory.dmp

memory/4664-36-0x0000000007D10000-0x0000000007D2E000-memory.dmp

memory/4664-26-0x0000000070AC0000-0x0000000070E17000-memory.dmp

memory/4664-38-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4664-40-0x0000000007E50000-0x0000000007E6A000-memory.dmp

memory/4664-39-0x00000000084A0000-0x0000000008B1A000-memory.dmp

memory/4664-41-0x0000000007E90000-0x0000000007E9A000-memory.dmp

memory/4664-42-0x0000000007FA0000-0x0000000008036000-memory.dmp

memory/4664-43-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

memory/4664-44-0x0000000007F00000-0x0000000007F0E000-memory.dmp

memory/4664-45-0x0000000007F10000-0x0000000007F25000-memory.dmp

memory/4664-46-0x0000000007F60000-0x0000000007F7A000-memory.dmp

memory/4664-47-0x0000000007F80000-0x0000000007F88000-memory.dmp

memory/4664-50-0x00000000746C0000-0x0000000074E71000-memory.dmp

memory/4820-54-0x0000000004CA0000-0x000000000558B000-memory.dmp

memory/4820-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4820-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4968-63-0x0000000005570000-0x00000000058C7000-memory.dmp

memory/4968-64-0x0000000005A80000-0x0000000005ACC000-memory.dmp

memory/4968-66-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/4968-75-0x0000000006C40000-0x0000000006CE4000-memory.dmp

memory/4968-65-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/4968-76-0x0000000006F70000-0x0000000006F81000-memory.dmp

memory/4968-77-0x0000000006FC0000-0x0000000006FD5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/3232-89-0x0000000005FE0000-0x0000000006337000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 346e53a49127965b937c64c5b4b82cdc
SHA1 79ab249dd12360324dbff84b53d9942cb64fac1b
SHA256 f50575e8047a4d1a9f0bc7d030ba99dca2acfa5019110195a341c7a18646e831
SHA512 79228dea7ea762db50fa386aef9c04aa7eddd1432b21240d5e5d76d7d7da8b9840b637ec782e5277b2a13b31629ce7a7817ede5e84690aa5aa480805091f5e0c

memory/3232-91-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/3232-92-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/1856-110-0x0000000005E40000-0x0000000006197000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ce9a2fa9ff4e473d0c9db414b72673d
SHA1 53dded869c70dbced70e35608f09283a751f9b9e
SHA256 84a2c098e6b7a0c67c5dd812d11db37b75f4b8c57cbee959abb95655fc722178
SHA512 9242c1a704fdc3905c217ff7452d1bcc1e9db0f97646ff9346ba3be9d94902b24590d2cee513ba8b9c6838f22caa1bc0e3722efdfcd9e27601790ecfa966accb

memory/1856-113-0x0000000070BE0000-0x0000000070F37000-memory.dmp

memory/1856-112-0x0000000070A40000-0x0000000070A8C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5f3d0bee1362c6d0a99faf39ef80c1dd
SHA1 aa6b423c2293a29d08922f9414e7b6f1eb3e21ff
SHA256 c1e2d1b2a3eaedda7957f1b5332c3023f114a99d51fe37f5a384923b92db40bb
SHA512 fce68dc66174f9872477e5a04aa9dd88fe426ff1298449d8e5e901a035652555f848f7787676a08b06bc2e15758a5eed863fd9a7c708aed5acf3a1b007f835eb

memory/4220-126-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4512-137-0x0000000005B30000-0x0000000005E87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6fdacc69c7dfcfba017b9601f392c285
SHA1 4bbeab916ee19ca96b4409858e5106ba317edc7d
SHA256 d6e44ad6fcc9516a178f1cd8520c8909079eb8dba816e0fed9fe721d0687ace5
SHA512 0197910a4d1786d9f3ff30dd700e8e44c268e520966714d0c27b58da23c5a50c45b688a52e14b7d4a2d975359b0022887dd30521dc6e3c1649ead9102e5fe9c5

memory/4512-139-0x0000000006050000-0x000000000609C000-memory.dmp

memory/4512-140-0x00000000709A0000-0x00000000709EC000-memory.dmp

memory/4512-141-0x0000000070B40000-0x0000000070E97000-memory.dmp

memory/4512-150-0x0000000007270000-0x0000000007314000-memory.dmp

memory/4512-151-0x00000000075A0000-0x00000000075B1000-memory.dmp

memory/4512-152-0x0000000005A80000-0x0000000005A95000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e7becf2147f64e65f3da28e4a62fb5ac
SHA1 f2524db879afc33ce252c63e1002e6848972ba1e
SHA256 87e23c8b27f9b6357d28d3b80c5fd5ddc092df2b90df8362cddf958a37886a45
SHA512 a1119740871dda869fd5b168232c6a7073ed591117fe51603a569e63673a506a125d26f65a4a3db220f85268fe932985ad8d5c0edba09dae78f8a204c2d0ad20

memory/2332-162-0x0000000005A20000-0x0000000005D77000-memory.dmp

memory/2332-164-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/2332-166-0x0000000070A60000-0x0000000070DB7000-memory.dmp

memory/2332-165-0x00000000708C0000-0x000000007090C000-memory.dmp

memory/2332-175-0x00000000070E0000-0x0000000007184000-memory.dmp

memory/2332-176-0x00000000072C0000-0x00000000072D1000-memory.dmp

memory/2332-177-0x0000000005910000-0x0000000005925000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4de64960cdb0742af6ddd576a828058f
SHA1 7107ac209e8e33bbbe5a4833980c57d7fceedb33
SHA256 f61b13daa2a9898fc7f81a13bdc9b79f37c1ea63ed2c1d75597bad5ea564011a
SHA512 4c067761e4a07527b90f0cb37446642495e57ccd1c6f4b5a40ceb7babc6dee6751c2befa6deae66fa06fdfa8cb3d8fc63e1fad6af713e755b898970172c8dedf

memory/2096-187-0x0000000005720000-0x0000000005A77000-memory.dmp

memory/2096-190-0x0000000070B10000-0x0000000070E67000-memory.dmp

memory/2096-189-0x00000000708C0000-0x000000007090C000-memory.dmp

memory/1952-199-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3292-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3488-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3292-214-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1952-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3488-217-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1952-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3488-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1952-220-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-228-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-231-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1952-234-0x0000000000400000-0x0000000002B0D000-memory.dmp