Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-x2v3dsbe97
Target f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8
SHA256 f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8
Tags
glupteba dropper evasion loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8

Threat Level: Known bad

The file f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx discovery persistence rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:21

Reported

2024-04-17 19:24

Platform

win10v2004-20240412-en

Max time kernel

3s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 187.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 c8daa38b-974b-46cc-8c28-fc74383f7e7c.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server13.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
BG 185.82.216.96:443 server13.thestatsfiles.ru tcp

Files

memory/5096-1-0x0000000004E50000-0x000000000524B000-memory.dmp

memory/5096-2-0x0000000005250000-0x0000000005B3B000-memory.dmp

memory/5096-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3108-5-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/3108-4-0x0000000004DC0000-0x0000000004DF6000-memory.dmp

memory/3108-6-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3108-8-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/3108-7-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3108-9-0x00000000054E0000-0x0000000005502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmgs52ei.g4d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3108-12-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/3108-10-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/3108-21-0x0000000005E60000-0x00000000061B4000-memory.dmp

memory/3108-22-0x00000000063B0000-0x00000000063CE000-memory.dmp

memory/3108-23-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/3108-24-0x0000000006900000-0x0000000006944000-memory.dmp

memory/3108-25-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3108-26-0x00000000076D0000-0x0000000007746000-memory.dmp

memory/3108-27-0x0000000007DD0000-0x000000000844A000-memory.dmp

memory/3108-28-0x0000000007770000-0x000000000778A000-memory.dmp

memory/3108-31-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/3108-32-0x0000000070D60000-0x00000000710B4000-memory.dmp

memory/3108-30-0x0000000007930000-0x0000000007962000-memory.dmp

memory/3108-29-0x000000007FBF0000-0x000000007FC00000-memory.dmp

memory/3108-42-0x0000000007910000-0x000000000792E000-memory.dmp

memory/3108-43-0x0000000007970000-0x0000000007A13000-memory.dmp

memory/3108-44-0x0000000007A60000-0x0000000007A6A000-memory.dmp

memory/3108-45-0x0000000007B70000-0x0000000007C06000-memory.dmp

memory/3108-46-0x0000000007A70000-0x0000000007A81000-memory.dmp

memory/3108-47-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

memory/3108-48-0x0000000007AD0000-0x0000000007AE4000-memory.dmp

memory/3108-50-0x0000000007B10000-0x0000000007B18000-memory.dmp

memory/3108-49-0x0000000007B20000-0x0000000007B3A000-memory.dmp

memory/3108-53-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/5096-54-0x0000000000400000-0x000000000310E000-memory.dmp

memory/5096-55-0x0000000004E50000-0x000000000524B000-memory.dmp

memory/5096-57-0x0000000005250000-0x0000000005B3B000-memory.dmp

memory/2560-58-0x0000000004D10000-0x0000000005115000-memory.dmp

memory/2560-59-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2904-60-0x0000000005AE0000-0x0000000005E34000-memory.dmp

memory/2904-66-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/2904-71-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/5096-72-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2904-73-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/2904-74-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/2904-76-0x0000000071360000-0x00000000716B4000-memory.dmp

memory/2904-75-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/2904-86-0x0000000007330000-0x00000000073D3000-memory.dmp

memory/2904-87-0x0000000007620000-0x0000000007631000-memory.dmp

memory/2904-88-0x0000000007670000-0x0000000007684000-memory.dmp

memory/2904-91-0x0000000074D40000-0x00000000754F0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/724-93-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/724-99-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/724-100-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5bcb1acb3234122960d4b4bea5f39bbc
SHA1 08ebdabc8e0ecd9911c88bbb542e26383374dda7
SHA256 21d224ab97a3fdcdc8c5676e56490d3440456e66a8a01ec8900df9f366fd5565
SHA512 f9b93d712e0fa7bf56144aefc17eadf66f044993b82eb576d8bb9a00fec63de063a726094fa3060ad3a9bcf44a76e4d865a7f4b0c73a905cf28e9308e821bfe6

memory/724-106-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

memory/2560-107-0x0000000004D10000-0x0000000005115000-memory.dmp

memory/724-108-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

memory/724-109-0x0000000071360000-0x00000000716B4000-memory.dmp

memory/2560-119-0x0000000000400000-0x000000000310E000-memory.dmp

memory/724-120-0x000000007F240000-0x000000007F250000-memory.dmp

memory/724-122-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/2560-124-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 80c7638ff089d92d054248299b50afcd
SHA1 3cd1da7ce68f7759cd9cd01febaae16b05530f81
SHA256 3f3683e592df16da2f82e2342a22d7c5893fe09e80e04b2550d1e1fa73c6b406
SHA512 67541702623e6fc7db14f9c850eeb36696fad6528868def1511b6b0d9737b16bf2d127f6dbaaa1fcd586cd69ef2d37075db9c34da2e089c9e77c9b7dca332abb

memory/708-136-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/708-135-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/708-134-0x0000000074D40000-0x00000000754F0000-memory.dmp

memory/708-138-0x000000007EED0000-0x000000007EEE0000-memory.dmp

memory/708-139-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0026971f45cdb3b146e4e105a8023d00
SHA1 8b69ff1343fece5448f5080faf2fd57e802342fd
SHA256 f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8
SHA512 13b7d668d9ffb8eba814455f753dde6acec7bbc887e364dc0a6afe47ec42117fcc31228dc776eb94661d8aa695c8d0379ab571bbbeb6efe6f224105ce13cb70f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 88eefed0fe8c689390b10c5ed72a183a
SHA1 a8042bcb6dfe6bb73cfcbe22c82922a70c5bdc5f
SHA256 a3f978d50c5f2b30deb7412ca01599d7d3b9f2edf1a6598699d44bb60b53798e
SHA512 046e992a288b49b8fadd54c314fbb42c39ef4554da9c57d0515de34c76cdd1ca1bca7dd7f09c2fe9c153e168cc24fbfa372a1cf6ac523e567c2d41126164783e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e44fcb9ef8356fd571c9644168eb226
SHA1 2d740c65245accb792a4131b66e23b732eff44f4
SHA256 86d69b06bab3ee3626d5c9de5f87aed5e727cb196e548938438652a74dd344d4
SHA512 ef58374eede924e20ddda78f871783d4877fa965bd1b12b96e143fa3859adf8f38184fecb86bba06593eaaae6022484014ceb09b90126362fcc4b0aebea91b20

memory/2560-220-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f3059b6fd620e39f9d13fe2669b15b1
SHA1 100fb8f517bbdcd1d713e574697126f471131e9f
SHA256 f71987d9b340c84c81d881bb7404d5686c9b527989c6960f242d7d1a79421dc2
SHA512 8ad895afb5d66adb42b00197a08d298cad428c1ee4f1e37e7de39aef324ca4e31e3533851a5e2baea6f18d6aebbb1a54daf5d41fbb0bf27eca0f86d0c7951955

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1544-255-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1544-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1872-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-270-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1544-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4896-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1544-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-285-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-289-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-293-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-297-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-301-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1544-305-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:21

Reported

2024-04-17 19:24

Platform

win11-20240412-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 984 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 984 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 984 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\system32\cmd.exe
PID 4056 wrote to memory of 5472 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\system32\cmd.exe
PID 5472 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5472 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4056 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\rss\csrss.exe
PID 4056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\rss\csrss.exe
PID 4056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe C:\Windows\rss\csrss.exe
PID 2756 wrote to memory of 4868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4868 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 4344 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 5568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 5568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 5568 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2756 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2756 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1764 wrote to memory of 2020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2020 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2020 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2020 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe

"C:\Users\Admin\AppData\Local\Temp\f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp
BG 185.82.216.96:443 server16.thestatsfiles.ru tcp

Files

memory/984-1-0x0000000004F70000-0x000000000536C000-memory.dmp

memory/984-2-0x0000000005370000-0x0000000005C5B000-memory.dmp

memory/984-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3464-4-0x0000000074880000-0x0000000075031000-memory.dmp

memory/3464-5-0x00000000028E0000-0x0000000002916000-memory.dmp

memory/3464-6-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/3464-7-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/3464-8-0x0000000005170000-0x000000000579A000-memory.dmp

memory/3464-9-0x0000000004F00000-0x0000000004F22000-memory.dmp

memory/3464-10-0x00000000050A0000-0x0000000005106000-memory.dmp

memory/3464-11-0x0000000005810000-0x0000000005876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nevyukbc.s4m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3464-20-0x00000000058C0000-0x0000000005C17000-memory.dmp

memory/3464-21-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

memory/3464-22-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/3464-23-0x0000000006340000-0x0000000006386000-memory.dmp

memory/3464-24-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/3464-26-0x000000007FBF0000-0x000000007FC00000-memory.dmp

memory/3464-25-0x00000000071E0000-0x0000000007214000-memory.dmp

memory/3464-27-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/3464-28-0x0000000070D20000-0x0000000071077000-memory.dmp

memory/3464-37-0x0000000007220000-0x000000000723E000-memory.dmp

memory/3464-38-0x0000000007240000-0x00000000072E4000-memory.dmp

memory/3464-39-0x00000000079B0000-0x000000000802A000-memory.dmp

memory/3464-40-0x0000000007370000-0x000000000738A000-memory.dmp

memory/3464-41-0x00000000073B0000-0x00000000073BA000-memory.dmp

memory/3464-42-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/3464-43-0x00000000073D0000-0x00000000073E1000-memory.dmp

memory/3464-45-0x0000000007420000-0x000000000742E000-memory.dmp

memory/984-44-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3464-46-0x0000000007430000-0x0000000007445000-memory.dmp

memory/3464-47-0x0000000007480000-0x000000000749A000-memory.dmp

memory/3464-48-0x0000000004C70000-0x0000000004C78000-memory.dmp

memory/3464-51-0x0000000074880000-0x0000000075031000-memory.dmp

memory/4056-53-0x0000000004E80000-0x000000000527E000-memory.dmp

memory/984-54-0x0000000004F70000-0x000000000536C000-memory.dmp

memory/4056-55-0x0000000005280000-0x0000000005B6B000-memory.dmp

memory/4056-56-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4948-57-0x0000000005610000-0x0000000005967000-memory.dmp

memory/984-66-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4948-67-0x0000000074880000-0x0000000075031000-memory.dmp

memory/4948-68-0x0000000004850000-0x0000000004860000-memory.dmp

memory/4948-69-0x0000000004850000-0x0000000004860000-memory.dmp

memory/4948-72-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

memory/4948-71-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/4948-73-0x0000000070D40000-0x0000000071097000-memory.dmp

memory/4948-82-0x0000000006D90000-0x0000000006E34000-memory.dmp

memory/4948-83-0x00000000070A0000-0x00000000070B1000-memory.dmp

memory/4056-84-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4948-85-0x00000000070F0000-0x0000000007105000-memory.dmp

memory/4948-88-0x0000000074880000-0x0000000075031000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/4056-91-0x0000000004E80000-0x000000000527E000-memory.dmp

memory/4916-92-0x0000000074880000-0x0000000075031000-memory.dmp

memory/4916-93-0x0000000002210000-0x0000000002220000-memory.dmp

memory/4916-94-0x0000000002210000-0x0000000002220000-memory.dmp

memory/4916-103-0x0000000005610000-0x0000000005967000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a33ea37b183671af083473793db6ccc9
SHA1 d2d9318696b18dbb5afbd0bb86b6a7cc7bb238c2
SHA256 a477d55973f346eef86b22a8d0d6f3ec7838a25a98b03d5cd2346e412afd723b
SHA512 6c63c595d08a5a3337259306c4bb20e98cd807997e49cdec8d2839b1ccc1666940c2505b21fd3b5364b058538db983276f90b4eb70f77412b56f2ec451d2c091

memory/4056-105-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4916-106-0x0000000002210000-0x0000000002220000-memory.dmp

memory/4916-107-0x000000007F760000-0x000000007F770000-memory.dmp

memory/4916-108-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/4916-109-0x0000000070D00000-0x0000000071057000-memory.dmp

memory/4916-120-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1444-121-0x0000000074880000-0x0000000075031000-memory.dmp

memory/1444-122-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1444-123-0x00000000030B0000-0x00000000030C0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e19de78592c6fb55abf908b767cc456
SHA1 bf839320be91f00adc8b3a53428a0e418ed3691c
SHA256 bc63f43b989da3ff79a0c4992859ef1fb46d9cdf6bec45d582b533e6f2b558db
SHA512 bc2840dc69e1676ee454127b233b5900ce5470d37a3d01a276689369be3fabe5c9cdbad7f4c9f8db707e637ecaa154796682f64bf75a228b389b2450ee19b588

memory/1444-133-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/1444-134-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

memory/1444-135-0x0000000070D40000-0x0000000071097000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0026971f45cdb3b146e4e105a8023d00
SHA1 8b69ff1343fece5448f5080faf2fd57e802342fd
SHA256 f70f95ed534161122975544c706cd73590273b15e93400debaf61a726cb8efe8
SHA512 13b7d668d9ffb8eba814455f753dde6acec7bbc887e364dc0a6afe47ec42117fcc31228dc776eb94661d8aa695c8d0379ab571bbbeb6efe6f224105ce13cb70f

memory/4056-150-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e32277e945024f5745f476fa14b2416b
SHA1 a976c47dd6fe45e032788bd8500977ee00c966ff
SHA256 9fbbdf9879f25aec062c5fa477b64a0662a1e8d593ed2fa147b6e73cf6af971c
SHA512 17358b4e2b38778cfd7e54bec7596b7b245c654191dae96e0413d98c624379a5165b018ce016060592968aae375caec9d57c7925f939b0b6b6783437bcaedc01

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d24f8a8ce0ef2e1c04888ca755232a2e
SHA1 9a1c57f93fcb39dcb1cbe3d425ec19e253b990d1
SHA256 5c1eccebbc2a0a2e0df406a10ba0faf95e2eba57b5423cc8a9f8472116bc524d
SHA512 7927057cd5a0aeb507e90c84f7c4130fdc74c65532eadce8d79e8e2a13b9d780be5eed313374bfbb8e2e9866b15133ea72f7654fbe4b9ddfe75d5756f907f120

memory/2756-214-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bb34d4404d41d5e67c7729ddaaba2ba5
SHA1 67c7ac57c7407c02c6775c42c6e1f472d259600b
SHA256 9bc86d1d1f499534178a695bcca9eefd2d6c54f930097151c8f810e4dd25087b
SHA512 12d259dc08d7ee9ec61a00b6b6fc541f2084a07b0023193b588d5931a23398d39cd8c13efb21e9dfa678f79890178b6962ae5e8462401523870b5fb7a05502cc

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2756-247-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1764-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3636-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-260-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2756-263-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3636-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2756-266-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2756-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2756-272-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2756-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2756-278-0x0000000000400000-0x000000000310E000-memory.dmp