Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-xsnlysbb67
Target 267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2
SHA256 267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2
Tags
glupteba dropper evasion loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2

Threat Level: Known bad

The file 267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Modifies data under HKEY_USERS

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:09

Platform

win10v2004-20240412-en

Max time kernel

3s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 bed77569-289a-4dd1-b664-8ed9cfd3db90.uuid.realupdate.ru udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server16.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4532-1-0x0000000004E50000-0x0000000005257000-memory.dmp

memory/4532-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/4532-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/5056-5-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/5056-4-0x0000000004B30000-0x0000000004B66000-memory.dmp

memory/5056-6-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5056-7-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5056-8-0x0000000005280000-0x00000000058A8000-memory.dmp

memory/5056-9-0x0000000005230000-0x0000000005252000-memory.dmp

memory/5056-10-0x0000000005920000-0x0000000005986000-memory.dmp

memory/5056-11-0x0000000005A40000-0x0000000005AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihthyv2p.ic4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5056-21-0x0000000005BF0000-0x0000000005F44000-memory.dmp

memory/5056-22-0x0000000006110000-0x000000000612E000-memory.dmp

memory/5056-23-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/5056-24-0x0000000006670000-0x00000000066B4000-memory.dmp

memory/5056-25-0x0000000004C40000-0x0000000004C50000-memory.dmp

memory/5056-26-0x0000000007430000-0x00000000074A6000-memory.dmp

memory/5056-27-0x0000000007B30000-0x00000000081AA000-memory.dmp

memory/5056-28-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/5056-29-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

memory/5056-30-0x0000000007690000-0x00000000076C2000-memory.dmp

memory/5056-31-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/5056-32-0x0000000070320000-0x0000000070674000-memory.dmp

memory/5056-42-0x0000000007670000-0x000000000768E000-memory.dmp

memory/5056-43-0x00000000076D0000-0x0000000007773000-memory.dmp

memory/5056-44-0x00000000077C0000-0x00000000077CA000-memory.dmp

memory/5056-45-0x0000000007880000-0x0000000007916000-memory.dmp

memory/5056-46-0x00000000077E0000-0x00000000077F1000-memory.dmp

memory/5056-47-0x0000000007820000-0x000000000782E000-memory.dmp

memory/5056-48-0x0000000007830000-0x0000000007844000-memory.dmp

memory/5056-49-0x0000000007920000-0x000000000793A000-memory.dmp

memory/5056-50-0x0000000007870000-0x0000000007878000-memory.dmp

memory/5056-53-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/4532-54-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4532-56-0x0000000004E50000-0x0000000005257000-memory.dmp

memory/4532-57-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/2148-58-0x0000000004DA0000-0x00000000051A0000-memory.dmp

memory/2148-59-0x00000000051A0000-0x0000000005A8B000-memory.dmp

memory/4532-60-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3296-61-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/2148-71-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3296-72-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/3296-73-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3296-74-0x000000007F510000-0x000000007F520000-memory.dmp

memory/3296-75-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/3296-76-0x0000000070320000-0x0000000070674000-memory.dmp

memory/3296-86-0x00000000075F0000-0x0000000007693000-memory.dmp

memory/3296-87-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/3296-88-0x0000000007930000-0x0000000007944000-memory.dmp

memory/3296-91-0x0000000074300000-0x0000000074AB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4216-93-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/4216-95-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/4216-94-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/4216-96-0x0000000005570000-0x00000000058C4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31fd06e7b123ecdc15fc62495a23372f
SHA1 3063a580d32f6854b01370874070ee95bc7c1ea9
SHA256 29bacde39ee25e4eb5357459939204418658274508d2f22b89849225e955f793
SHA512 6208008d990b7a2d90795496f846e8a6c34bd3ee2e003ba05a428ce2a6d7ec4a87684d128d12d9e71aca86717c9670aa48c20f2db79f7560b478c2ac52e2ddd6

memory/4216-107-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/4216-108-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/4216-109-0x0000000070920000-0x0000000070C74000-memory.dmp

memory/4216-120-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2148-122-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4468-132-0x0000000074300000-0x0000000074AB0000-memory.dmp

memory/2148-133-0x0000000004DA0000-0x00000000051A0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9ba611c9b1856947367846be9bc4408b
SHA1 463c57d228bd7c8a245e7fb175013aa18f5884e0
SHA256 7aff54e1366bfd18f8ed67d164664a72c210b736352feee787e1a5406c0254a0
SHA512 992c6598c18d54779d19cc45448934d91496fd445d1597d29c912bf161df1632a3bfd10e5d469b15cf03bdf12f34ef79b5c07208280c0129f358d33ee88b9b3c

memory/4468-134-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4468-135-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4468-137-0x00000000701A0000-0x00000000701EC000-memory.dmp

memory/4468-136-0x000000007F7B0000-0x000000007F7C0000-memory.dmp

memory/4468-138-0x0000000070320000-0x0000000070674000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 75fae659377cebf89cf61e90c45f24f2
SHA1 362fd4d7a74226cc703ed73a9ece0571e86ab2a5
SHA256 267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2
SHA512 a4cd447eaa6d2e46353c6ec8b6c476400c6b73961103637b03f2d269b52dd25879c6648737dd4ac6d65118cbe6d6f2d410b3172f1647abaf7380a0d266ab36f5

memory/2148-153-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02562f128b5007a3b7b930a313614e3c
SHA1 497541260a2794d24113aac46631b43bbd7f03fc
SHA256 d7fe4c8c53e6ddeb44c4b14797f93d0a611ef4d7c47abe77b74b2cf8103771bd
SHA512 f445891eefdc28d5327127c4f0ebfee351cde59db3dcd4e7565a579c24e91ac82d194a5c5da3caab8220dca48ed1ff8be5bf2c5080df1ba5e9e77b715dfadf71

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc16e3c01b56f08d21b5c07e761c70a4
SHA1 4fb22b238155ac69e70ac17cf3e36daa7687bf47
SHA256 28267c07403084c44261f29f4e53abe9fb4c762a24795919e09326e21ba69e2d
SHA512 e57df8bb93973ca4ee196c8ffedef57c7f096357732831d8f968296da4eb7257a048261aff25cb01c0a56863456b4c67490d95e1eec5becf62935aabd670fb8f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 84123a90f4ddbf0ac09cafd723184fdb
SHA1 ac17a14c53d42a84e9b7b6f1e5f9bba95449e7cb
SHA256 fa5aecdb60b5ee702ee24318cbf903565fe4f625b916be19345a7cf896d3c32f
SHA512 a82ff6078f5118162dac37e2c399b0e3e09dbbb537c9836bf5b09afb016941aa9698f2cb1e8c2ca0f2b75f0c11fb87bf30abf6eb7bf46d27314a970895608d8c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4612-250-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4612-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4496-260-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4612-262-0x0000000000400000-0x000000000310E000-memory.dmp

memory/904-263-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4612-265-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-268-0x0000000000400000-0x000000000310E000-memory.dmp

memory/904-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4612-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-274-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-280-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-283-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-286-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4612-289-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:10

Platform

win11-20240412-en

Max time kernel

176s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-825860316-2493133627-3905166409-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\system32\cmd.exe
PID 5044 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\system32\cmd.exe
PID 560 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 560 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\rss\csrss.exe
PID 5044 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\rss\csrss.exe
PID 5044 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe C:\Windows\rss\csrss.exe
PID 3324 wrote to memory of 3000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3000 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 1332 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 336 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3324 wrote to memory of 3760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3324 wrote to memory of 3760 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4356 wrote to memory of 2156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 2156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 2156 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2156 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2156 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe

"C:\Users\Admin\AppData\Local\Temp\267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server13.realupdate.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.96:443 server13.realupdate.ru tcp

Files

memory/1032-1-0x0000000004F60000-0x0000000005359000-memory.dmp

memory/1032-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/1032-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1032-4-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1032-5-0x0000000004F60000-0x0000000005359000-memory.dmp

memory/248-6-0x0000000002790000-0x00000000027C6000-memory.dmp

memory/248-7-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/248-8-0x0000000005350000-0x000000000597A000-memory.dmp

memory/1032-9-0x0000000000400000-0x000000000310E000-memory.dmp

memory/248-11-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

memory/248-10-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

memory/248-12-0x00000000050C0000-0x00000000050E2000-memory.dmp

memory/248-13-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/248-14-0x0000000005A60000-0x0000000005AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcghzw2q.glr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/248-23-0x0000000005AD0000-0x0000000005E27000-memory.dmp

memory/248-24-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

memory/248-25-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/248-26-0x0000000006560000-0x00000000065A6000-memory.dmp

memory/1032-27-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/248-29-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

memory/248-30-0x0000000007430000-0x0000000007464000-memory.dmp

memory/248-31-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/248-32-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/248-41-0x0000000007470000-0x000000000748E000-memory.dmp

memory/248-42-0x0000000007490000-0x0000000007534000-memory.dmp

memory/248-43-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/1032-44-0x0000000000400000-0x000000000310E000-memory.dmp

memory/248-45-0x0000000007C20000-0x000000000829A000-memory.dmp

memory/248-46-0x0000000007560000-0x000000000757A000-memory.dmp

memory/248-47-0x0000000007620000-0x000000000762A000-memory.dmp

memory/248-48-0x00000000076D0000-0x0000000007766000-memory.dmp

memory/248-49-0x0000000007670000-0x0000000007681000-memory.dmp

memory/248-50-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

memory/248-51-0x0000000007690000-0x000000000769E000-memory.dmp

memory/248-53-0x00000000075B0000-0x00000000075C5000-memory.dmp

memory/248-54-0x00000000077B0000-0x00000000077CA000-memory.dmp

memory/248-56-0x0000000007640000-0x0000000007648000-memory.dmp

memory/248-59-0x0000000074110000-0x00000000748C1000-memory.dmp

memory/1032-60-0x0000000000400000-0x000000000310E000-memory.dmp

memory/5044-62-0x0000000004E10000-0x0000000005209000-memory.dmp

memory/5044-63-0x0000000005210000-0x0000000005AFB000-memory.dmp

memory/5044-64-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2860-65-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/2860-66-0x0000000003260000-0x0000000003270000-memory.dmp

memory/2860-67-0x0000000003260000-0x0000000003270000-memory.dmp

memory/2860-68-0x0000000006210000-0x0000000006567000-memory.dmp

memory/2860-77-0x0000000006C70000-0x0000000006CBC000-memory.dmp

memory/2860-78-0x0000000003260000-0x0000000003270000-memory.dmp

memory/2860-79-0x000000007F240000-0x000000007F250000-memory.dmp

memory/2860-80-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/2860-81-0x00000000706E0000-0x0000000070A37000-memory.dmp

memory/2860-90-0x0000000007980000-0x0000000007A24000-memory.dmp

memory/2860-91-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/5044-92-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2860-93-0x0000000007D20000-0x0000000007D35000-memory.dmp

memory/2860-96-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/5044-97-0x0000000004E10000-0x0000000005209000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/1344-99-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/1344-100-0x0000000005530000-0x0000000005540000-memory.dmp

memory/1344-109-0x0000000006420000-0x0000000006777000-memory.dmp

memory/5044-110-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1344-112-0x0000000005530000-0x0000000005540000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 887cf5ade2412dfbefd24daccad53b38
SHA1 8108dc71f57ab7e495abf2c714646f84f8ad6950
SHA256 51d2c35cdf4c585d776cabc6ff3533fee9bc4322694d331c8e6336db6bc9b6b7
SHA512 4bc19304afb63e4fab8563ce18666f2783494e87b895d471bec6288bdc458376ddbadd23e0048a2d025ea5b3d2fd33e8cf58af06698227a131a1d6f4a6c085b7

memory/1344-114-0x0000000005530000-0x0000000005540000-memory.dmp

memory/1344-115-0x000000007F770000-0x000000007F780000-memory.dmp

memory/1344-116-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/1344-117-0x0000000070610000-0x0000000070967000-memory.dmp

memory/1344-127-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/2132-128-0x00000000741B0000-0x0000000074961000-memory.dmp

memory/2132-129-0x0000000003070000-0x0000000003080000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6617779c4c0059d9a8251d6417f38112
SHA1 674fa9ef62f0aad6686498e0fd46bf9fdb2434d5
SHA256 970315a4754c6b37610a3aeff9c48bf40337279a5d8e61188876b5d7f1212471
SHA512 06ea06ca0e56de23220b1f3d249f7be10aa0d88e86bf9fa5850e4c9fd59dceec1a2c3cf3983251d26c034d8ca1a33af6e727181e4a91408b59f24586ee8edaa0

memory/5044-140-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 75fae659377cebf89cf61e90c45f24f2
SHA1 362fd4d7a74226cc703ed73a9ece0571e86ab2a5
SHA256 267f3218865962c91c69db8eba6d5f5e0c0f14d8074d25e5f7684701dc6878e2
SHA512 a4cd447eaa6d2e46353c6ec8b6c476400c6b73961103637b03f2d269b52dd25879c6648737dd4ac6d65118cbe6d6f2d410b3172f1647abaf7380a0d266ab36f5

memory/5044-161-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4db438bbf93281279c45a2a642eaab92
SHA1 67fd64dfde2dc9bd578f92d3f3832cf75ab54dd0
SHA256 8eea1ddc8e9257d667c9af41bd73fddaee661fb834d76c01ef43efe15edfca73
SHA512 bf72a80a65ac63acb656cf7f2e4f235a6a6bd9ef85e4b0710a3b7a66b29cada0c5ec8ee31ad16e7cbb8b619d5122e968160fb69a46ea0cf36f04952d4c7b119a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a9c26c9d5286d62d508109053735513e
SHA1 43ad64a723c3517897414906ef15215923aad454
SHA256 d813e49e9a20451bb85b2559265e83fae9f65b38372e4e09481e56a76b22ad38
SHA512 84d2a28befb9790d6e2a351a8e0739489128099aca6497ad6c9187e8778e75f3507ad0a449a4e406ef4fde5838d95349675c2ee39ff0a1224c80ad97f0879ac6

memory/3324-223-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6b7171636bc52e8bc536513a535cb531
SHA1 db32021c7d8f13b1c5454ac00f92c0b7d4453a80
SHA256 b7130e675fba2f0959f40c8c6343c626e25bdecc4cbae56d2217421fdc2b3e6e
SHA512 b46e9cbd4362e1dadfbaebc4c2b0d09f1e5b6852f4e7867cdfa755b74f0af9f08cccd61dfa5270372746d1be01678516879e392051dc1945e024012925f7acf1

memory/3324-254-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3324-259-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4356-267-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3324-269-0x0000000000400000-0x000000000310E000-memory.dmp