Malware Analysis Report

2025-06-16 01:58

Sample ID 240509-x6sg3adh63
Target bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665
SHA256 bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665

Threat Level: Known bad

The file bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:30

Platform

win10v2004-20240426-en

Max time kernel

13s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 74.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
BE 2.17.196.74:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 d117b6ac-0bb7-4216-8ff8-f2608355ab2a.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/3004-1-0x0000000003310000-0x0000000003718000-memory.dmp

memory/3004-2-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/3004-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/880-4-0x000000007417E000-0x000000007417F000-memory.dmp

memory/880-5-0x0000000002B60000-0x0000000002B96000-memory.dmp

memory/880-6-0x0000000074170000-0x0000000074920000-memory.dmp

memory/880-7-0x0000000005680000-0x0000000005CA8000-memory.dmp

memory/880-8-0x00000000055D0000-0x00000000055F2000-memory.dmp

memory/880-9-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/880-10-0x0000000005E10000-0x0000000005E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ujlj4fk.hwp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/880-20-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/880-21-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/880-22-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/880-23-0x0000000007600000-0x0000000007644000-memory.dmp

memory/880-24-0x0000000007810000-0x0000000007886000-memory.dmp

memory/880-25-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/880-26-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/880-30-0x0000000070190000-0x00000000704E4000-memory.dmp

memory/880-42-0x0000000074170000-0x0000000074920000-memory.dmp

memory/880-41-0x0000000007A70000-0x0000000007B13000-memory.dmp

memory/880-40-0x0000000007A50000-0x0000000007A6E000-memory.dmp

memory/880-28-0x0000000070010000-0x000000007005C000-memory.dmp

memory/880-29-0x0000000074170000-0x0000000074920000-memory.dmp

memory/880-27-0x0000000007A10000-0x0000000007A42000-memory.dmp

memory/880-43-0x0000000007B60000-0x0000000007B6A000-memory.dmp

memory/880-44-0x0000000007C70000-0x0000000007D06000-memory.dmp

memory/880-45-0x0000000007B70000-0x0000000007B81000-memory.dmp

memory/880-46-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

memory/880-47-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

memory/880-48-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/880-49-0x0000000007C10000-0x0000000007C18000-memory.dmp

memory/880-52-0x0000000074170000-0x0000000074920000-memory.dmp

memory/3004-55-0x0000000003310000-0x0000000003718000-memory.dmp

memory/3004-56-0x0000000004FC0000-0x00000000058AB000-memory.dmp

memory/3004-54-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/456-66-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/456-78-0x0000000007A70000-0x0000000007B13000-memory.dmp

memory/456-68-0x00000000707B0000-0x0000000070B04000-memory.dmp

memory/456-67-0x0000000070010000-0x000000007005C000-memory.dmp

memory/3004-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/728-79-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/456-81-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

memory/456-82-0x0000000007DF0000-0x0000000007E04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4912-91-0x0000000005AC0000-0x0000000005E14000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2169b4c4e615416c1227c332dc4af34c
SHA1 6e4f8b77007ecefa2313add41604dc1075c575e3
SHA256 e460785daa160efcab97bd7e4aac575b07aa7d5cc5694a07bd23c5e421240b35
SHA512 2d199afc289f9d5271300583743a0a34275e3039d643fc4d8912020836256f270e797531eab8f7d3035f2659924b354d48f00a5b96459f826604bc0f2aa80b71

memory/4912-97-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4912-98-0x0000000070790000-0x0000000070AE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5358ed22997d387b35807fac2603e9a8
SHA1 8a49aaf96bc755f59ee99cbd5c21f6fce897ab9d
SHA256 14be80cdfca39aec0c3b67dc3af2e367888e316f886b959a697a03af1218a2c4
SHA512 de1badd17a01eb77fb39274594d03b54e820726db053b19c946c2346973ae00908e81962a48be378bc8c8c3bde4966654eed5c721e12a6269c20665d04609b40

memory/4448-119-0x0000000070010000-0x000000007005C000-memory.dmp

memory/4448-120-0x0000000070790000-0x0000000070AE4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 868b7b5b1fefa3e7da673b1648d264ad
SHA1 09b53c6c262e338fe850b3a4c89152aabd6e16a6
SHA256 bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665
SHA512 fad332c401777afe33997dc76ec8df4fad5f5325d66019593d532fb190964b0ed94599707cbb99711e5aa542db5e825fd83e1687bc89753ae04434186c1cec4a

memory/728-134-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2548-148-0x0000000006180000-0x00000000064D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e5c6a5863b5da09a658f22d432f6b5f6
SHA1 569fe2fcb2386583bd45936f7ae1b7fc028ed728
SHA256 6ef80b00124d5933971c84961c0d3fa0e12910a635911b8be1cf263ed97c3014
SHA512 e53536ddbeded3c4fcc6e10c31abd4536e100982d62b0a7f4bcaf157c4c00ff71cad7e71f00d1926745293ecf86fc184465f2e1af37399aeae838e018bfbde8a

memory/2548-150-0x0000000070010000-0x000000007005C000-memory.dmp

memory/2548-151-0x0000000070A40000-0x0000000070D94000-memory.dmp

memory/3076-171-0x0000000005540000-0x0000000005894000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a112676ab4517ef868a60be47a942548
SHA1 a8f71ee71cde2a558cdd7ce86c34d9bd5cdb69b7
SHA256 dd205b642b676c6c194985c17415ad16d239c2e43d8330fba3e1965f04c39e33
SHA512 6c8fabe0cddd09dfec0bdcf7bd59091b12d7a19325ad947fff0a94a0368d47cbc222eae50341584348aac5f05f97edcdd47672aca7ba0a641c333068e5c6900b

memory/3076-173-0x0000000005C50000-0x0000000005C9C000-memory.dmp

memory/3076-175-0x00000000706C0000-0x0000000070A14000-memory.dmp

memory/3076-185-0x0000000006E70000-0x0000000006F13000-memory.dmp

memory/3076-174-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/3076-186-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/3076-187-0x00000000059F0000-0x0000000005A04000-memory.dmp

memory/5068-195-0x0000000005960000-0x0000000005CB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 af529667b6a8e2e660647492e8beefc9
SHA1 f7f4d3c755cb4bedadb8e60dd545816bafc2163c
SHA256 c5bf936e11b39610228699eb1b46a37c3df55896687ae1ef0bb1baa11d362eed
SHA512 5d28afd06bafff92927569a9b509e77abb8cc9c6c87e4640f5927c327adca7a570c07308972429dc21706ea2d5d70e8bbe357ab7e34e3fa921fa0270cff04aed

memory/5068-201-0x0000000070B20000-0x0000000070E74000-memory.dmp

memory/5068-200-0x000000006FF30000-0x000000006FF7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3908-218-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1528-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/916-223-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/916-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3908-228-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1528-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3908-232-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-235-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1528-236-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3908-238-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-240-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-244-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-247-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-250-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3908-253-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:28

Reported

2024-05-09 19:30

Platform

win11-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\system32\cmd.exe
PID 4448 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\system32\cmd.exe
PID 2888 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2888 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4448 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\rss\csrss.exe
PID 4448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\rss\csrss.exe
PID 4448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe C:\Windows\rss\csrss.exe
PID 2720 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 1632 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 4960 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 2304 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2720 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2720 wrote to memory of 3712 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4980 wrote to memory of 1216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 1216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 1216 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1216 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1216 wrote to memory of 1880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe

"C:\Users\Admin\AppData\Local\Temp\bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81f06479-4a22-4a17-aed8-a3f7d9500eed.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp

Files

memory/2224-1-0x00000000032C0000-0x00000000036C3000-memory.dmp

memory/2224-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2224-2-0x0000000005070000-0x000000000595B000-memory.dmp

memory/4768-4-0x000000007499E000-0x000000007499F000-memory.dmp

memory/4768-5-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/4768-6-0x0000000074990000-0x0000000075141000-memory.dmp

memory/4768-7-0x0000000005220000-0x000000000584A000-memory.dmp

memory/4768-8-0x00000000050C0000-0x00000000050E2000-memory.dmp

memory/4768-9-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/4768-10-0x0000000005A30000-0x0000000005A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4gl3u2o2.smb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4768-19-0x0000000005AA0000-0x0000000005DF7000-memory.dmp

memory/4768-20-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/4768-21-0x0000000005F90000-0x0000000005FDC000-memory.dmp

memory/4768-22-0x0000000006EB0000-0x0000000006EF6000-memory.dmp

memory/2224-23-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4768-36-0x00000000073D0000-0x0000000007474000-memory.dmp

memory/4768-35-0x00000000073B0000-0x00000000073CE000-memory.dmp

memory/4768-26-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/4768-25-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/4768-24-0x0000000007350000-0x0000000007384000-memory.dmp

memory/4768-37-0x0000000007B40000-0x00000000081BA000-memory.dmp

memory/4768-38-0x0000000007500000-0x000000000751A000-memory.dmp

memory/4768-39-0x0000000007540000-0x000000000754A000-memory.dmp

memory/4768-40-0x0000000007600000-0x0000000007696000-memory.dmp

memory/4768-41-0x0000000007570000-0x0000000007581000-memory.dmp

memory/4768-42-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/4768-43-0x00000000075C0000-0x00000000075D5000-memory.dmp

memory/4768-44-0x00000000076C0000-0x00000000076DA000-memory.dmp

memory/4768-45-0x00000000076A0000-0x00000000076A8000-memory.dmp

memory/4768-48-0x0000000074990000-0x0000000075141000-memory.dmp

memory/2224-51-0x00000000032C0000-0x00000000036C3000-memory.dmp

memory/2224-52-0x0000000005070000-0x000000000595B000-memory.dmp

memory/2224-50-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4964-61-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/4964-62-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/4964-71-0x0000000007730000-0x00000000077D4000-memory.dmp

memory/4964-72-0x0000000007A50000-0x0000000007A61000-memory.dmp

memory/2224-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4448-73-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4964-75-0x0000000007AA0000-0x0000000007AB5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2404-87-0x0000000005AF0000-0x0000000005E47000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 988307f6a2bf34c1e112e05305ee6279
SHA1 91fde27dd6a86aed522d84bc1e1c7a8432e0a15d
SHA256 efbf1202200af3a895c080621342676f7dc2961559f948c59c992897d0371eef
SHA512 dbe27eedd10acb76efc51724792a3e7a43ecf5ffbf066480621c7871bbd983dfec1f6af96f133e4f479daf4ec69895ae3a829a798acd28a34d31f54a94134f2f

memory/2404-89-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/2404-90-0x0000000070DA0000-0x00000000710F7000-memory.dmp

memory/3840-101-0x00000000055E0000-0x0000000005937000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b339d42ee6f558e7b42cb20ffa0c95ae
SHA1 f0d687cc1c2b23aac3898237f74bcce6021eac44
SHA256 b7ee6bd865407c91e114213edeaf4400f7b6f70e5ac96169da0eb814863062d1
SHA512 8b62180dbe2379f074980c269868fc20bbbe8316bb51013659776f518d96562a5456686fe1fc0b709da866de250c352b62cc13d3b0b99fdff209b3123b8a5b4f

memory/3840-111-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/3840-112-0x0000000070E50000-0x00000000711A7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 868b7b5b1fefa3e7da673b1648d264ad
SHA1 09b53c6c262e338fe850b3a4c89152aabd6e16a6
SHA256 bc5ed230514270055dd27bcaf8dc87145a7e934976c5a1dc90b5fc6a12ed0665
SHA512 fad332c401777afe33997dc76ec8df4fad5f5325d66019593d532fb190964b0ed94599707cbb99711e5aa542db5e825fd83e1687bc89753ae04434186c1cec4a

memory/4448-126-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9a9c3b9187123ce16b5daaf95f4917a
SHA1 23e4edafe7a02dadbfd7c37f5213f076c91ad2e7
SHA256 43f7f2cae923a3aeab1c7fc9e8bfc318612338ce3cda774109e5ef4537894457
SHA512 3d8b597f25c11a5065035957188aef75923070d05cf73a75dface1dc371e357d476018124b5353cf8aadb85c74b80ae0f79d59e8b7612e4afddb8426241f5b6c

memory/1632-138-0x0000000070C00000-0x0000000070C4C000-memory.dmp

memory/1632-139-0x0000000070D80000-0x00000000710D7000-memory.dmp

memory/4960-157-0x0000000006370000-0x00000000066C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3061c5a7d4338ebe0d3305868d6080e7
SHA1 5902f4cb43748e16c17c77c15c6cc5d12c32ae3a
SHA256 b5ac722f4cc0ab89cf6327542d7865a19858301005116e3a93931754b3961506
SHA512 de4916a4d47a2d853367b75afcbbe4a4fb72713a3a536b72ba6fadb302538d33bfb5aa517861cfc9d1bbfd5eb59cc8f14a237a910473b394476b3c6660b7ed04

memory/4960-159-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

memory/4960-160-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4960-161-0x0000000070D30000-0x0000000071087000-memory.dmp

memory/4960-170-0x0000000007B60000-0x0000000007C04000-memory.dmp

memory/4960-172-0x0000000007EF0000-0x0000000007F01000-memory.dmp

memory/4960-173-0x00000000066F0000-0x0000000006705000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5b5da69e062534442ca10ce4ce95a239
SHA1 1933c9ee9db36dc42afa87eb8b225938a355986e
SHA256 79c80391455e675ba305b810eb99071cf825ac7e44a897257682aab7a9737143
SHA512 59ed600e749dc8c88f30575119ccd5e82aaa947a63d4fa6c0622a0dea91cd5bb52cc9c9517d936b4e4f8497b309b9b8bf6ea4783a77e313d154cb2f01235cd39

memory/2304-185-0x0000000070D30000-0x0000000071087000-memory.dmp

memory/2304-184-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/2720-194-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2720-202-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4980-207-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3356-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4980-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2720-213-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3356-214-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2720-216-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2720-219-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3356-220-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2720-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2720-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2720-228-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2720-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2720-234-0x0000000000400000-0x0000000002ED5000-memory.dmp