Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-xsna7ace2w
Target 17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff
SHA256 17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff
Tags
glupteba dropper evasion loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff

Threat Level: Known bad

The file 17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:09

Platform

win10v2004-20240412-en

Max time kernel

1s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 65f35936-7019-47c0-b29a-a39047c87340.uuid.statscreate.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server11.statscreate.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BE 172.253.120.127:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server11.statscreate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.120.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
NL 13.95.31.18:443 tcp
BG 185.82.216.96:443 server11.statscreate.org tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
BG 185.82.216.96:443 server11.statscreate.org tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2204-1-0x0000000004F20000-0x000000000531C000-memory.dmp

memory/2204-2-0x0000000005320000-0x0000000005C0B000-memory.dmp

memory/2204-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4956-4-0x0000000004970000-0x00000000049A6000-memory.dmp

memory/4956-7-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4956-8-0x0000000005110000-0x0000000005738000-memory.dmp

memory/4956-6-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4956-5-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4956-9-0x0000000004F50000-0x0000000004F72000-memory.dmp

memory/4956-11-0x0000000005740000-0x00000000057A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gbkzeq2.foe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-21-0x0000000005930000-0x0000000005C84000-memory.dmp

memory/4956-10-0x0000000005000000-0x0000000005066000-memory.dmp

memory/4956-22-0x0000000005F40000-0x0000000005F5E000-memory.dmp

memory/4956-23-0x0000000005F90000-0x0000000005FDC000-memory.dmp

memory/4956-24-0x00000000064E0000-0x0000000006524000-memory.dmp

memory/4956-25-0x0000000007260000-0x00000000072D6000-memory.dmp

memory/4956-27-0x0000000007300000-0x000000000731A000-memory.dmp

memory/4956-26-0x0000000007960000-0x0000000007FDA000-memory.dmp

memory/4956-29-0x000000007F1A0000-0x000000007F1B0000-memory.dmp

memory/4956-42-0x0000000007520000-0x00000000075C3000-memory.dmp

memory/4956-44-0x0000000007610000-0x000000000761A000-memory.dmp

memory/4956-43-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4956-41-0x0000000007500000-0x000000000751E000-memory.dmp

memory/4956-45-0x00000000076D0000-0x0000000007766000-memory.dmp

memory/4956-31-0x00000000708E0000-0x0000000070C34000-memory.dmp

memory/4956-46-0x0000000007630000-0x0000000007641000-memory.dmp

memory/4956-30-0x00000000704F0000-0x000000007053C000-memory.dmp

memory/4956-28-0x00000000074C0000-0x00000000074F2000-memory.dmp

memory/4956-48-0x0000000007680000-0x0000000007694000-memory.dmp

memory/4956-47-0x0000000007670000-0x000000000767E000-memory.dmp

memory/4956-50-0x00000000076C0000-0x00000000076C8000-memory.dmp

memory/4956-49-0x0000000007770000-0x000000000778A000-memory.dmp

memory/4956-53-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/2204-54-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2204-55-0x0000000005320000-0x0000000005C0B000-memory.dmp

memory/4732-57-0x0000000004DA0000-0x00000000051A7000-memory.dmp

memory/4952-60-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4952-66-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4952-71-0x0000000006210000-0x0000000006564000-memory.dmp

memory/4952-59-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4732-58-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4952-72-0x0000000006D30000-0x0000000006D7C000-memory.dmp

memory/4952-75-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/4952-86-0x0000000007A10000-0x0000000007AB3000-memory.dmp

memory/4952-85-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4952-74-0x00000000705F0000-0x000000007063C000-memory.dmp

memory/4952-73-0x000000007F560000-0x000000007F570000-memory.dmp

memory/4952-87-0x0000000007D30000-0x0000000007D41000-memory.dmp

memory/4952-88-0x0000000007D80000-0x0000000007D94000-memory.dmp

memory/4952-91-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/464-95-0x0000000004780000-0x0000000004790000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dfaf65203cf779d67561f131e59d7eba
SHA1 dce4f529778fba9985a4e0fb390eeae6bb91f997
SHA256 c4e5a4966abf78e7b6fd6c25f65caf375b6b7ea5705e704840e10f95967d5e26
SHA512 e6aa64b4071b8cce0f2e8dc4dec8f745699cdd60da19035962ee13326748c6fa6536a36ba7922d3d4ad1abec0f39f32609ebbc7f2ec27f4adb2a376f0d48ffa6

memory/464-105-0x0000000005790000-0x0000000005AE4000-memory.dmp

memory/464-94-0x0000000004780000-0x0000000004790000-memory.dmp

memory/464-93-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/464-109-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/464-119-0x0000000004780000-0x0000000004790000-memory.dmp

memory/464-108-0x00000000705F0000-0x000000007063C000-memory.dmp

memory/464-107-0x000000007F640000-0x000000007F650000-memory.dmp

memory/464-121-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4004-122-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4004-128-0x00000000027F0000-0x0000000002800000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dbe0614f207443316dbfe2881d859345
SHA1 08dc1b45184277e046eaa4c1fe786c82ada520f2
SHA256 a0b3a847374f97207ede340874ad10a06e2b47ce5c4e1a61cde49c037bc33d96
SHA512 632b68a4486fee93ef3bba8f9342213163564be6a57b0d67da3903ed1d19d892ccedfbbb7d814ccd5a566c822d73c1c5f57299bc67339eb4d82a7663318c6752

memory/4004-135-0x00000000705F0000-0x000000007063C000-memory.dmp

memory/4004-137-0x000000007F030000-0x000000007F040000-memory.dmp

memory/4004-136-0x0000000070D90000-0x00000000710E4000-memory.dmp

memory/4732-134-0x0000000004DA0000-0x00000000051A7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 15bbabcac0f9cd567f9f802339b10a18
SHA1 cc885bf8001c028eb97190fc0295e1d50af3202e
SHA256 17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff
SHA512 cb99a3803cfcc0aebefc206fb5f6573ca40e26864293f0ef0161d45932bd4691f998ba62ca97459cb420215aeb28a84fac2fb2e2a5b951d27292016808aae4a7

memory/4732-153-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 926ba277ac073d8a9a165e060744831a
SHA1 c8d21151e8266bf1e9249f407d8467a3b82c470f
SHA256 e7d2bfba81b78558ae728e4db2916843c2fe6c3b2e5db9f65180e573dcd47136
SHA512 1182879aaf6d28d8401a384ec733dd99aff873d4b32706e95cba2771df45bca3967fa1e614e56fbbdd9a38ae17a6e0b5c8f48e4bc5eaadc8da2b8ff6f08ea806

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9be05e178a012199cbc4659f60e4ab0d
SHA1 439bcab26164945cb5ccb7ce908034551b00b877
SHA256 b16ccdeb2dd68c1e32eedcbf272fac3b61a0f57adb4cb1d162777022f09c2182
SHA512 eb7e0ea3d738fd9ec31767b4df545e8f3b4e088e773b0b925852ffb9ff6f871c299b68655eee1b10b4a021d17ff4eb0a42a19f4590fae176a9b2895394205ad6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a17c6cfe58991524512e64e06339b017
SHA1 99ac8c2a0dc3e0ba571b8014a2f2361fdb36844a
SHA256 aeee771354084ff41f67126ba6549f34a2e054df5df889a57fa647b5e52f81eb
SHA512 80aefcae0645981fceba8009b6e9450654da494b891f1fa86b15c43c8c78ec2a162cd28b6e51c346eeaf048f16bb6726305c362d92759b8af29b736cef300339

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4220-258-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 7b14991ae1158469eeead051abf23569
SHA1 ebcb21dc2ae380cc9d8119c9a207908331329553
SHA256 e3294cf678ff69e7465001c9a986c373efd5bcfb4ed4c21c806c45700af9faba
SHA512 d8819606d7e5e9c5072455b12f95220d2095b35b60f65f38340528e513a9754f81fc659550a0d9a943dfe9e929fae50f5e1e85231b9f43abbf10aad82c54d77f

memory/1928-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4220-267-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4664-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4220-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4664-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4220-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-279-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-283-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-285-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-287-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4220-289-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:09

Platform

win11-20240412-en

Max time kernel

153s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1734202354-1504186683-2192872036-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\system32\cmd.exe
PID 3476 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\system32\cmd.exe
PID 660 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 660 wrote to memory of 564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3476 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3476 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\rss\csrss.exe
PID 3476 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\rss\csrss.exe
PID 3476 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe C:\Windows\rss\csrss.exe
PID 2128 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 3084 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2492 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1780 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1620 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2128 wrote to memory of 1620 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2364 wrote to memory of 3468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3468 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3468 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3468 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe

"C:\Users\Admin\AppData\Local\Temp\17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4d9efece-4621-4cf6-baed-ba0938726364.uuid.statscreate.org udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.statscreate.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server10.statscreate.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server10.statscreate.org tcp

Files

memory/4932-1-0x0000000004F50000-0x000000000534B000-memory.dmp

memory/4932-2-0x0000000005350000-0x0000000005C3B000-memory.dmp

memory/4932-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4932-4-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2288-5-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

memory/2288-6-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/2288-8-0x00000000054D0000-0x0000000005AFA000-memory.dmp

memory/2288-9-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/2288-7-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/2288-10-0x00000000053D0000-0x00000000053F2000-memory.dmp

memory/2288-11-0x0000000005B00000-0x0000000005B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2ive5nz.kdb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2288-17-0x0000000005D20000-0x0000000005D86000-memory.dmp

memory/2288-21-0x0000000005DF0000-0x0000000006147000-memory.dmp

memory/2288-22-0x00000000062A0000-0x00000000062BE000-memory.dmp

memory/2288-23-0x0000000006350000-0x000000000639C000-memory.dmp

memory/2288-24-0x0000000006830000-0x0000000006876000-memory.dmp

memory/4932-25-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2288-26-0x0000000002A70000-0x0000000002A80000-memory.dmp

memory/2288-27-0x000000007F390000-0x000000007F3A0000-memory.dmp

memory/2288-28-0x0000000007750000-0x0000000007784000-memory.dmp

memory/2288-29-0x0000000070720000-0x000000007076C000-memory.dmp

memory/2288-30-0x0000000070770000-0x0000000070AC7000-memory.dmp

memory/2288-39-0x0000000007730000-0x000000000774E000-memory.dmp

memory/2288-40-0x0000000007790000-0x0000000007834000-memory.dmp

memory/2288-41-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/2288-42-0x00000000078B0000-0x00000000078CA000-memory.dmp

memory/2288-43-0x00000000078F0000-0x00000000078FA000-memory.dmp

memory/2288-44-0x0000000007A00000-0x0000000007A96000-memory.dmp

memory/2288-45-0x0000000007910000-0x0000000007921000-memory.dmp

memory/2288-46-0x0000000007960000-0x000000000796E000-memory.dmp

memory/2288-47-0x0000000007970000-0x0000000007985000-memory.dmp

memory/2288-48-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/2288-49-0x00000000079B0000-0x00000000079B8000-memory.dmp

memory/2288-52-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3476-54-0x0000000004E60000-0x0000000005264000-memory.dmp

memory/4932-55-0x0000000004F50000-0x000000000534B000-memory.dmp

memory/3476-56-0x0000000005270000-0x0000000005B5B000-memory.dmp

memory/3476-57-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4468-67-0x0000000005E60000-0x00000000061B7000-memory.dmp

memory/4932-66-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4468-68-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4468-70-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4468-69-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4468-72-0x0000000005070000-0x0000000005080000-memory.dmp

memory/4468-73-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4468-74-0x00000000708C0000-0x0000000070C17000-memory.dmp

memory/4468-83-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/4468-84-0x0000000007940000-0x0000000007951000-memory.dmp

memory/4468-85-0x0000000007990000-0x00000000079A5000-memory.dmp

memory/3476-86-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4468-89-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/560-92-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/560-101-0x0000000005BC0000-0x0000000005F17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 95e8a6eba8b8ad4b955e234728e0b11c
SHA1 950029f85cf80ba02afad8e9f211b3f9995d9591
SHA256 2bfd819ad66fb87acae15d4bb1a2769b8a18ef280d7a2e584b141b40fa22df60
SHA512 7259110ebe09e85916bbb3b2090d26fbf7513776079b8c085bd8add6246f6a0bf3f7227131b1a5c8dde58be2c5f3da89ed2e5c3124cdf237f1237c63c3c4fc0f

memory/3476-103-0x0000000004E60000-0x0000000005264000-memory.dmp

memory/560-104-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

memory/560-105-0x0000000070720000-0x000000007076C000-memory.dmp

memory/560-106-0x00000000708A0000-0x0000000070BF7000-memory.dmp

memory/3476-115-0x0000000000400000-0x000000000310E000-memory.dmp

memory/560-116-0x000000007F230000-0x000000007F240000-memory.dmp

memory/560-118-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/3476-119-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4720-120-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/4720-121-0x0000000005440000-0x0000000005450000-memory.dmp

memory/4720-122-0x0000000005440000-0x0000000005450000-memory.dmp

memory/4720-128-0x0000000006190000-0x00000000064E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 51853b52f7120df56812580a1c5771bb
SHA1 81a2d8509c6814c942d1df4e3477c9e1a53ff1e1
SHA256 612f2f3f09532dc02f08d28fe9d18cd10e731e1401be87eda0a18c64e06c854e
SHA512 80682029749f4adc05592ca20a5d7f64e67c53bbb283982fd281bdc62188970f1b0876cb6879b693b7201ec01f3a5991b64b16356329471bc56b01c973828ae7

memory/4720-133-0x0000000005440000-0x0000000005450000-memory.dmp

memory/4720-135-0x0000000070720000-0x000000007076C000-memory.dmp

memory/4720-136-0x0000000070930000-0x0000000070C87000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 15bbabcac0f9cd567f9f802339b10a18
SHA1 cc885bf8001c028eb97190fc0295e1d50af3202e
SHA256 17af4f0371bdc079aa65042bad33052f915413d0afaa9b6789957997f877a0ff
SHA512 cb99a3803cfcc0aebefc206fb5f6573ca40e26864293f0ef0161d45932bd4691f998ba62ca97459cb420215aeb28a84fac2fb2e2a5b951d27292016808aae4a7

memory/3476-150-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6877d9ba7ba60660d8cd646ab0e51442
SHA1 164f2303a18d015ba6913c7d02bb036215eaff76
SHA256 5290b817a96b80de42bff3bf04e532449b997e4a7d9fcc010286506b63634387
SHA512 df2c3bfc6c97b90dcfae81532c7b4d2b0b6f071b48b53a939fb7c96f9b5e973eb87d45839472e876a4f7a11db3b0e9e1257d191964139a1c05dd98d1108fe4e9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5a1b72ebbc39f2f6c2e683f924b96996
SHA1 ebbbf6eb686b2081f8d182d342b62cfd7fef4e8e
SHA256 b7e8b712ce886f688a19628974dfaf530cdb0190be92ab1d14491a351eb04268
SHA512 90b7d2688abba45383db79f35bf6d3f2df769c8d4caaccc104bc746d557ffe7feb83d9e6da54fa2319ea1ec9678e066e24fb358a7d6ae97ec93dd92f42b764ec

memory/2128-198-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0b1d51df7a95c710c1292902bb36d69d
SHA1 d9b371451b83fe17e8bf2e4b257b9aec59786f5f
SHA256 06ff0d16ed30518b46456679f6f98092060d1d64e6440e698197f0eecd4ed81f
SHA512 3f1020f52be21076b4f09bf110087be96fa56cbdc852fed0f41edc8e8b853a522effc78a56528a3a8d520c7bdd1f84bee73e0628595b76ef6a26c2c66c84d759

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2128-247-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2364-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2128-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2128-259-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3896-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2128-262-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2128-265-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3896-266-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2128-268-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2128-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2128-274-0x0000000000400000-0x000000000310E000-memory.dmp