glupteba | 8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231210-08-Glupteba-68a8fe.exe
Size

8.9MB
MD5

8c819f7e632740c87d694356afc931ed
SHA1

68e53829368abd4f1d23cb531131223881df97f7
SHA256

8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891
SHA512

9c06084ef75c3fc0e83663c0705c2d6f61c3348a8d89050ce07e322898043e42234887386929a066b85f9459006b62269cd3b17b75920085834dd7b781428eea
SSDEEP

98304:gHxMZDJ1TRpxYVX9u2iazANfLhZytTD5iqa:GxEvYjHzANDhwN

Score

10^/10

glupteba aspackv2 discovery dropper evasion execution loader persistence privilege_escalation rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral2/memory/4548-5-0x0000000000800000-0x0000000001121000-memory.dmp	family_glupteba
behavioral2/memory/4548-98-0x0000000000800000-0x0000000001121000-memory.dmp	family_glupteba
behavioral2/memory/1888-99-0x0000000000800000-0x0000000001121000-memory.dmp	family_glupteba
behavioral2/files/0x00080000000234c4-183.dat	family_glupteba
behavioral2/memory/1888-186-0x0000000000800000-0x0000000001121000-memory.dmp	family_glupteba
behavioral2/memory/1948-188-0x0000000000020000-0x0000000000941000-memory.dmp	family_glupteba
behavioral2/memory/1948-278-0x0000000000020000-0x0000000000941000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1612	netsh.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023495-2.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	pCrEUV.exe

Executes dropped EXE 5 IoCs

pid	Process
1644	pCrEUV.exe
2132	pCrEUV.exe
1948	csrss.exe
632	pCrEUV.exe
1676	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	231210-08-Glupteba-68a8fe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	pCrEUV.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	pCrEUV.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	pCrEUV.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	pCrEUV.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	pCrEUV.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	pCrEUV.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	pCrEUV.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	pCrEUV.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	pCrEUV.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	pCrEUV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	pCrEUV.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	231210-08-Glupteba-68a8fe.exe
File created	C:\Windows\rss\csrss.exe	231210-08-Glupteba-68a8fe.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
4336	powershell.exe
2076	powershell.exe
1596	powershell.exe
1684	powershell.exe
5068	powershell.exe
1100	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231210-08-Glupteba-68a8fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pCrEUV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pCrEUV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pCrEUV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231210-08-Glupteba-68a8fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	231210-08-Glupteba-68a8fe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	231210-08-Glupteba-68a8fe.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	231210-08-Glupteba-68a8fe.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1424	schtasks.exe
1532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	powershell.exe
1684	powershell.exe
4548	231210-08-Glupteba-68a8fe.exe
4548	231210-08-Glupteba-68a8fe.exe
5068	powershell.exe
5068	powershell.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1888	231210-08-Glupteba-68a8fe.exe
1100	powershell.exe
1100	powershell.exe
2764	powershell.exe
2764	powershell.exe
4336	powershell.exe
4336	powershell.exe
2076	powershell.exe
2076	powershell.exe
1596	powershell.exe
1596	powershell.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1948	csrss.exe
1948	csrss.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1948	csrss.exe
1948	csrss.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe
1676	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4548	231210-08-Glupteba-68a8fe.exe
Token: SeImpersonatePrivilege	4548	231210-08-Glupteba-68a8fe.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1948	csrss.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 1644	4548	231210-08-Glupteba-68a8fe.exe	83
PID 4548 wrote to memory of 1644	4548	231210-08-Glupteba-68a8fe.exe	83
PID 4548 wrote to memory of 1644	4548	231210-08-Glupteba-68a8fe.exe	83
PID 4548 wrote to memory of 1684	4548	231210-08-Glupteba-68a8fe.exe	85
PID 4548 wrote to memory of 1684	4548	231210-08-Glupteba-68a8fe.exe	85
PID 4548 wrote to memory of 1684	4548	231210-08-Glupteba-68a8fe.exe	85
PID 1644 wrote to memory of 3600	1644	pCrEUV.exe	88
PID 1644 wrote to memory of 3600	1644	pCrEUV.exe	88
PID 1644 wrote to memory of 3600	1644	pCrEUV.exe	88
PID 1888 wrote to memory of 2132	1888	231210-08-Glupteba-68a8fe.exe	97
PID 1888 wrote to memory of 2132	1888	231210-08-Glupteba-68a8fe.exe	97
PID 1888 wrote to memory of 2132	1888	231210-08-Glupteba-68a8fe.exe	97
PID 2132 wrote to memory of 4332	2132	pCrEUV.exe	98
PID 2132 wrote to memory of 4332	2132	pCrEUV.exe	98
PID 2132 wrote to memory of 4332	2132	pCrEUV.exe	98
PID 1888 wrote to memory of 5068	1888	231210-08-Glupteba-68a8fe.exe	101
PID 1888 wrote to memory of 5068	1888	231210-08-Glupteba-68a8fe.exe	101
PID 1888 wrote to memory of 5068	1888	231210-08-Glupteba-68a8fe.exe	101
PID 1888 wrote to memory of 996	1888	231210-08-Glupteba-68a8fe.exe	103
PID 1888 wrote to memory of 996	1888	231210-08-Glupteba-68a8fe.exe	103
PID 996 wrote to memory of 1612	996	cmd.exe	105
PID 996 wrote to memory of 1612	996	cmd.exe	105
PID 1888 wrote to memory of 1100	1888	231210-08-Glupteba-68a8fe.exe	107
PID 1888 wrote to memory of 1100	1888	231210-08-Glupteba-68a8fe.exe	107
PID 1888 wrote to memory of 1100	1888	231210-08-Glupteba-68a8fe.exe	107
PID 1888 wrote to memory of 2764	1888	231210-08-Glupteba-68a8fe.exe	110
PID 1888 wrote to memory of 2764	1888	231210-08-Glupteba-68a8fe.exe	110
PID 1888 wrote to memory of 2764	1888	231210-08-Glupteba-68a8fe.exe	110
PID 1888 wrote to memory of 1948	1888	231210-08-Glupteba-68a8fe.exe	112
PID 1888 wrote to memory of 1948	1888	231210-08-Glupteba-68a8fe.exe	112
PID 1888 wrote to memory of 1948	1888	231210-08-Glupteba-68a8fe.exe	112
PID 1948 wrote to memory of 632	1948	csrss.exe	113
PID 1948 wrote to memory of 632	1948	csrss.exe	113
PID 1948 wrote to memory of 632	1948	csrss.exe	113
PID 1948 wrote to memory of 4336	1948	csrss.exe	114
PID 1948 wrote to memory of 4336	1948	csrss.exe	114
PID 1948 wrote to memory of 4336	1948	csrss.exe	114
PID 632 wrote to memory of 3684	632	pCrEUV.exe	116
PID 632 wrote to memory of 3684	632	pCrEUV.exe	116
PID 632 wrote to memory of 3684	632	pCrEUV.exe	116
PID 1948 wrote to memory of 2076	1948	csrss.exe	122
PID 1948 wrote to memory of 2076	1948	csrss.exe	122
PID 1948 wrote to memory of 2076	1948	csrss.exe	122
PID 1948 wrote to memory of 1596	1948	csrss.exe	124
PID 1948 wrote to memory of 1596	1948	csrss.exe	124
PID 1948 wrote to memory of 1596	1948	csrss.exe	124
PID 1948 wrote to memory of 1676	1948	csrss.exe	126
PID 1948 wrote to memory of 1676	1948	csrss.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\231210-08-Glupteba-68a8fe.exe
"C:\Users\Admin\AppData\Local\Temp\231210-08-Glupteba-68a8fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\pCrEUV.exe
  C:\Users\Admin\AppData\Local\Temp\pCrEUV.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\55ae6a14.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\231210-08-Glupteba-68a8fe.exe
  "C:\Users\Admin\AppData\Local\Temp\231210-08-Glupteba-68a8fe.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\TEMP\pCrEUV.exe
    C:\Windows\TEMP\pCrEUV.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\3c771450.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\TEMP\pCrEUV.exe
      C:\Windows\TEMP\pCrEUV.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\13484dda.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4336
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1424
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1676
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S5KAZR04\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ae6a14.bat

Filesize
187B

MD5
3a2a395dcc70d39aa60ccb9cdb80a3d9

SHA1
141fa6c4ad3a29cb4e2c0e85e5127dd4cedbbad3

SHA256
d1e8d996fc620c2348debf4552d60e96faa6a491c743e13c5916e615b5f036d1

SHA512
291a899de6081eb06d53049bcf863d884b1ab76e74d36fd79d12eefdfb6506c56f080c29fc62d3b1550cf0885b48c9edd40b954d5ed065e2e1e6b78447298260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AB40075.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jv31el3p.0hv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCrEUV.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2366fddb46e3cebb80ec12a91642fc38

SHA1
4be991883a6b5a5b72a22176b6a4a0c3efcca817

SHA256
12673a9e0e22a249b2bc3c06eada10dbcc9c897837f7e75eb305edb0c2396e86

SHA512
1b87d0752cb32c51ccd9bb247b0b152ab464e6133a017d83e1325de2a5552a0d2b6e01b575c4b9296de403421f040fa09c88f3e9d2a955f6406cc8af98c44e65

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c154866f4696bbdb4dea1b84f0fa91ed

SHA1
62aeee6564875de87776431265d9912206a13d95

SHA256
b4b4d4d80c45a1ebce9a3aa208da21c65319647bba457bdf8cc42c7b2a15c3d4

SHA512
744dc12019b9eb28402dc3b87202c45701fa2672f66f78c022ce5d9a4bad11384308cb919a9d5218084a7244f682c9b2aca80e8169689f7ede961cdbc0503991

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7d3a50932258aa3321677848be9c6452

SHA1
9bea8e255adf9c0eb692b740f94741f20d0dd279

SHA256
397fec18c7dffcb0fd96e3d57d50c5dcdee3117f63f2fd39ca7b118fa73ded37

SHA512
c07d8ac3089bff6484969e485876709deb89def72ac64b9ee27a1c49be654e0d92aa8ea4c4dafb9dde267e539fa48d38a597f053723c661e15ac6f51490c8047

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fb1e268601a81e31a7438c1bbe127b7b

SHA1
9d73310d6cf2419861f0dac84382ba555d70ff48

SHA256
29b0347e1cc3e1d7e687e5cf6a0b4db0cab04e559e5df4d11228295369724865

SHA512
5d35b79ac89344f2b9d56dd62bc2d4abc78b4449ef3b9fabf7930a65d28ffdef5c2c5c78175bc0c10465c12abab0ef72658e68986fa5833596b74828d60291a2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f1cac31945402c4722f3cfa04a7d3a12

SHA1
0d9a4ac0effcc8ce72d21e7ed40630606bc8e56f

SHA256
9e4656625749eb85e3b998c33290562b3ac1b4775fbd4c9717fc239afe3e184e

SHA512
0cafbd04624d730512a4a0d6b14aa3ce49901322a8e1961ee0e2193021fee64e6ebbf599ac00b4b87beffff4ae17416d57be2d95cc1f8148c1b5aee72d8af627

Download Submit
C:\Windows\TEMP\13484dda.bat

Filesize
133B

MD5
f792324bacfc890ec430f2ae3ff15ab9

SHA1
6d87e491ff023200b6a539e8042b2231a495de35

SHA256
119c77332cba2041587da7edb8352e105d926d35cf9e08a6141ab3c9bb3e3d54

SHA512
ff4b2984c854590924fdf7257695dd2441859dcbe7ff505f55490ff74888b24669b4dded4e36fe2b3e5943983691d7a4295e347220a076242b3e3ebd500a0d01

Download Submit
C:\Windows\TEMP\3c771450.bat

Filesize
133B

MD5
d6a4ef52f796c2997e6b5d875b8a0b26

SHA1
0f3536cdb2cf0d4913d52a67d7bbf9ac0ac20f6e

SHA256
ddf41241c4ef829ca4c8970f271f55651a2250477312db35956c14910791cfe0

SHA512
82ae3325cad62b0f64e3f4f0a88376d47d1285e40e1671ad1c9e1cf99b69a6271b614b1603b315e1307a5b30d8d438794a186e974e9cd9a5081c48a8e0d5bf77

Download Submit
C:\Windows\rss\csrss.exe

Filesize
8.9MB

MD5
8c819f7e632740c87d694356afc931ed

SHA1
68e53829368abd4f1d23cb531131223881df97f7

SHA256
8b0148744435d6298d2b73fe69019433ca6393e164af4e50709b7dda4b648891

SHA512
9c06084ef75c3fc0e83663c0705c2d6f61c3348a8d89050ce07e322898043e42234887386929a066b85f9459006b62269cd3b17b75920085834dd7b781428eea

Download Submit
memory/632-194-0x00000000008C0000-0x00000000008C9000-memory.dmp

Filesize
36KB

Download
memory/632-190-0x00000000008C0000-0x00000000008C9000-memory.dmp

Filesize
36KB

Download
memory/1100-147-0x00000000748B0000-0x00000000748FC000-memory.dmp

Filesize
304KB

Download
memory/1100-148-0x0000000070570000-0x00000000708C4000-memory.dmp

Filesize
3.3MB

Download
memory/1100-145-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/1596-261-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/1596-262-0x00000000702C0000-0x0000000070614000-memory.dmp

Filesize
3.3MB

Download
memory/1644-6-0x0000000000200000-0x0000000000209000-memory.dmp

Filesize
36KB

Download
memory/1644-66-0x0000000000200000-0x0000000000209000-memory.dmp

Filesize
36KB

Download
memory/1684-69-0x0000000007130000-0x00000000071A6000-memory.dmp

Filesize
472KB

Download
memory/1684-54-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

Filesize
304KB

Download
memory/1684-84-0x00000000073B0000-0x00000000073CE000-memory.dmp

Filesize
120KB

Download
memory/1684-85-0x00000000073D0000-0x0000000007473000-memory.dmp

Filesize
652KB

Download
memory/1684-86-0x00000000074C0000-0x00000000074CA000-memory.dmp

Filesize
40KB

Download
memory/1684-87-0x0000000007590000-0x0000000007626000-memory.dmp

Filesize
600KB

Download
memory/1684-88-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/1684-89-0x0000000007530000-0x000000000753E000-memory.dmp

Filesize
56KB

Download
memory/1684-90-0x0000000007540000-0x0000000007554000-memory.dmp

Filesize
80KB

Download
memory/1684-91-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/1684-92-0x0000000007570000-0x0000000007578000-memory.dmp

Filesize
32KB

Download
memory/1684-95-0x00000000731F0000-0x00000000739A0000-memory.dmp

Filesize
7.7MB

Download
memory/1684-33-0x0000000004E30000-0x0000000004E52000-memory.dmp

Filesize
136KB

Download
memory/1684-40-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/1684-74-0x000000006FB40000-0x000000006FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1684-14-0x00000000731FE000-0x00000000731FF000-memory.dmp

Filesize
4KB

Download
memory/1684-73-0x000000006FAF0000-0x000000006FB3C000-memory.dmp

Filesize
304KB

Download
memory/1684-15-0x0000000004820000-0x0000000004856000-memory.dmp

Filesize
216KB

Download
memory/1684-23-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/1684-39-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/1684-52-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/1684-24-0x00000000731F0000-0x00000000739A0000-memory.dmp

Filesize
7.7MB

Download
memory/1684-53-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/1684-25-0x00000000731F0000-0x00000000739A0000-memory.dmp

Filesize
7.7MB

Download
memory/1684-72-0x0000000007370000-0x00000000073A2000-memory.dmp

Filesize
200KB

Download
memory/1684-70-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/1684-71-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/1684-68-0x0000000006210000-0x0000000006254000-memory.dmp

Filesize
272KB

Download
memory/1888-186-0x0000000000800000-0x0000000001121000-memory.dmp

Filesize
9.1MB

Download
memory/1888-99-0x0000000000800000-0x0000000001121000-memory.dmp

Filesize
9.1MB

Download
memory/1948-188-0x0000000000020000-0x0000000000941000-memory.dmp

Filesize
9.1MB

Download
memory/1948-278-0x0000000000020000-0x0000000000941000-memory.dmp

Filesize
9.1MB

Download
memory/2076-236-0x0000000074740000-0x000000007478C000-memory.dmp

Filesize
304KB

Download
memory/2076-237-0x00000000702C0000-0x0000000070614000-memory.dmp

Filesize
3.3MB

Download
memory/2076-235-0x0000000006BA0000-0x0000000006BEC000-memory.dmp

Filesize
304KB

Download
memory/2076-247-0x0000000007BA0000-0x0000000007C43000-memory.dmp

Filesize
652KB

Download
memory/2076-248-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

Filesize
68KB

Download
memory/2076-249-0x0000000006400000-0x0000000006414000-memory.dmp

Filesize
80KB

Download
memory/2076-233-0x00000000064B0000-0x0000000006804000-memory.dmp

Filesize
3.3MB

Download
memory/2132-101-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download
memory/2132-106-0x0000000000320000-0x0000000000329000-memory.dmp

Filesize
36KB

Download
memory/2764-170-0x0000000070340000-0x0000000070694000-memory.dmp

Filesize
3.3MB

Download
memory/2764-169-0x00000000748B0000-0x00000000748FC000-memory.dmp

Filesize
304KB

Download
memory/4336-221-0x00000000071E0000-0x00000000071F1000-memory.dmp

Filesize
68KB

Download
memory/4336-209-0x0000000074780000-0x00000000747CC000-memory.dmp

Filesize
304KB

Download
memory/4336-222-0x0000000005A30000-0x0000000005A44000-memory.dmp

Filesize
80KB

Download
memory/4336-204-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-220-0x0000000006EA0000-0x0000000006F43000-memory.dmp

Filesize
652KB

Download
memory/4336-210-0x0000000074980000-0x0000000074CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-208-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/4548-98-0x0000000000800000-0x0000000001121000-memory.dmp

Filesize
9.1MB

Download
memory/4548-5-0x0000000000800000-0x0000000001121000-memory.dmp

Filesize
9.1MB

Download
memory/5068-131-0x0000000007390000-0x00000000073A1000-memory.dmp

Filesize
68KB

Download
memory/5068-119-0x00000000748B0000-0x00000000748FC000-memory.dmp

Filesize
304KB

Download
memory/5068-118-0x0000000005F90000-0x0000000005FDC000-memory.dmp

Filesize
304KB

Download
memory/5068-117-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/5068-120-0x0000000070340000-0x0000000070694000-memory.dmp

Filesize
3.3MB

Download
memory/5068-130-0x0000000007070000-0x0000000007113000-memory.dmp

Filesize
652KB

Download
memory/5068-132-0x00000000073E0000-0x00000000073F4000-memory.dmp

Filesize
80KB

Download