Malware Analysis Report

2025-06-16 01:59

Sample ID 240509-ya9bdabb4w
Target 96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f
SHA256 96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f

Threat Level: Known bad

The file 96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba

Glupteba payload

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 19:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 19:36

Reported

2024-05-09 19:38

Platform

win10v2004-20240426-en

Max time kernel

7s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 4c44bcd8-fb27-4e87-ab24-aa4e6129b2ec.uuid.allstatsin.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server6.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 65.196.17.2.in-addr.arpa udp
BE 2.17.196.65:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
BG 185.82.216.104:443 server6.allstatsin.ru tcp

Files

memory/3396-1-0x0000000003290000-0x000000000368C000-memory.dmp

memory/3396-2-0x0000000004F30000-0x000000000581B000-memory.dmp

memory/3396-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4052-4-0x000000007489E000-0x000000007489F000-memory.dmp

memory/4052-5-0x0000000004870000-0x00000000048A6000-memory.dmp

memory/4052-7-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4052-8-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4052-6-0x0000000004F30000-0x0000000005558000-memory.dmp

memory/4052-9-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4ounsoz.myf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4052-11-0x0000000005830000-0x0000000005896000-memory.dmp

memory/4052-10-0x0000000005790000-0x00000000057F6000-memory.dmp

memory/4052-21-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/4052-22-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/4052-23-0x0000000005E80000-0x0000000005ECC000-memory.dmp

memory/4052-24-0x00000000063B0000-0x00000000063F4000-memory.dmp

memory/4052-25-0x0000000007190000-0x0000000007206000-memory.dmp

memory/4052-27-0x0000000007210000-0x000000000722A000-memory.dmp

memory/4052-26-0x0000000007890000-0x0000000007F0A000-memory.dmp

memory/4052-28-0x00000000073D0000-0x0000000007402000-memory.dmp

memory/4052-29-0x0000000070730000-0x000000007077C000-memory.dmp

memory/4052-31-0x00000000708B0000-0x0000000070C04000-memory.dmp

memory/4052-42-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/4052-45-0x0000000007520000-0x000000000752A000-memory.dmp

memory/4052-43-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4052-41-0x0000000007410000-0x000000000742E000-memory.dmp

memory/4052-30-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4052-46-0x00000000075E0000-0x0000000007676000-memory.dmp

memory/3396-44-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4052-47-0x0000000007540000-0x0000000007551000-memory.dmp

memory/4052-48-0x0000000007580000-0x000000000758E000-memory.dmp

memory/4052-49-0x0000000007590000-0x00000000075A4000-memory.dmp

memory/4052-51-0x00000000075D0000-0x00000000075D8000-memory.dmp

memory/4052-50-0x0000000007680000-0x000000000769A000-memory.dmp

memory/4052-54-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3396-56-0x0000000003290000-0x000000000368C000-memory.dmp

memory/3396-57-0x0000000004F30000-0x000000000581B000-memory.dmp

memory/4484-63-0x0000000005DD0000-0x0000000006124000-memory.dmp

memory/4484-79-0x0000000007690000-0x0000000007733000-memory.dmp

memory/4484-69-0x0000000070ED0000-0x0000000071224000-memory.dmp

memory/4484-68-0x0000000070730000-0x000000007077C000-memory.dmp

memory/4484-80-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/4484-81-0x00000000079F0000-0x0000000007A04000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1408-94-0x0000000005BE0000-0x0000000005F34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dd39f98c165347731ef3d1b6e6dc5911
SHA1 9502fb2f19b550c5e6036cbf02597fb5f8fa3e30
SHA256 5bcf2f7d0d612e31eb16036907711ec73377e17c715ec00e2cbc8a52fb846d67
SHA512 f8bee3db813b3ddd56e083d3e9fd12a347f18c0f200f82a0fdf0abc6bc15cc056f237b3ae4a1a1e9f0329a604baacad71512ea60cbe3dd500cfa881c75f25f7e

memory/1408-97-0x0000000070EB0000-0x0000000071204000-memory.dmp

memory/1408-96-0x0000000070730000-0x000000007077C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cbfc071bff4d8fedbfda1c82587ae5ee
SHA1 e320318be1fd51ff785ec9c6d80509eb0de991dc
SHA256 4fa9ef20c51c9b00e185ac5b42de328d1dceb1f8aaf218d034407d5412c1ba0a
SHA512 75f5646ad962b29efaac6101cc7def8a5ebc6c2896542eadf9a3349ab1a056c92c052b22141dc9f5364b8908e4c0ca1beb3fd17890d584d1e8cffe0dd2188364

memory/1928-119-0x0000000070EB0000-0x0000000071204000-memory.dmp

memory/1928-118-0x0000000070730000-0x000000007077C000-memory.dmp

memory/3396-131-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3396-129-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/764-130-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2a2e6034d6068065824b9bf947a4a0d8
SHA1 44fe8d3aff8641ee634b30f44e583269deee61b6
SHA256 96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f
SHA512 b089d2ed7e05c2839494753f5398c1c3ee86e51c34658eeb1c9e6bcdf2abd41b20ffacd9cdf0f86b325cb0e61fbd682dfc1395d3a87f7b0b23c9e855f3c57658

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b94710b14eae296d90f47dba009dba5
SHA1 72ecb208a0674a7b6a0ebcecb1cb53e4aff5c1bc
SHA256 743fdd48269c82075c6856964d89b1390769e52b05b8a602da08be3fb14ba875
SHA512 6f1c9e74713601fdbc4ab3e61d221f350e87719297c67e7479be94b4e6ba9a72687ac550c8de8c26598ef22a22268f05b37d689a5c28cd795d819e7bed93d720

memory/1920-148-0x0000000070730000-0x000000007077C000-memory.dmp

memory/1920-149-0x0000000070EB0000-0x0000000071204000-memory.dmp

memory/1168-170-0x0000000006010000-0x0000000006364000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d5d6e2d371cc48939e16d001d4861fa
SHA1 a5ac3350fa8f36a8506da9cddb6279c53949d6f8
SHA256 019f5bc583ad0fdb356c2cdbcd7b1e63729b9c9a5e5fc0586c5e75b480c1ded1
SHA512 fadd719ebb6f6ac0c1a20426cc0d3c73356357a1e12048fb58b7eb8f86cbe8df96cb224d2c88d4f346e14050bd4337f291452c3497d408278d699f12e2850004

memory/1168-172-0x0000000006650000-0x000000000669C000-memory.dmp

memory/1168-173-0x0000000070650000-0x000000007069C000-memory.dmp

memory/1168-184-0x0000000007890000-0x0000000007933000-memory.dmp

memory/1168-174-0x00000000707F0000-0x0000000070B44000-memory.dmp

memory/1168-185-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/1168-186-0x0000000006400000-0x0000000006414000-memory.dmp

memory/5024-197-0x00000000054D0000-0x0000000005824000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6860b85961db0d4c8134cae02799d9a4
SHA1 6bc0e0f9bd651421d78d815fa60836084b1a2a35
SHA256 c08634bcf66e31d53e76f6e3eb8a5af034c6133bdc354396147029abd48bf32a
SHA512 a3327c9defa42d8f82e7f7e724b91daa687be3711dbc7fb75d2f084b6011d4bf2e6872956df4fd15c7635358f6f36a3c77b92182b6144c4960cfc81246b7cbf9

memory/5024-199-0x0000000070650000-0x000000007069C000-memory.dmp

memory/5024-200-0x0000000070D80000-0x00000000710D4000-memory.dmp

memory/764-210-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1148-217-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1032-224-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1148-223-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1032-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4908-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1148-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4908-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1148-235-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4908-240-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1148-239-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-243-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-247-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-251-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-255-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-259-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-263-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1148-267-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 19:36

Reported

2024-05-09 19:38

Platform

win11-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1652 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\system32\cmd.exe
PID 4880 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4880 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\rss\csrss.exe
PID 4880 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\rss\csrss.exe
PID 4880 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe C:\Windows\rss\csrss.exe
PID 2648 wrote to memory of 4928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 4928 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 5072 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 1176 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2648 wrote to memory of 1176 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4616 wrote to memory of 384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 384 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 384 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 384 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 384 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe

"C:\Users\Admin\AppData\Local\Temp\96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 676e0000-1e6c-429a-9b84-49c0bd206174.uuid.allstatsin.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server16.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server16.allstatsin.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server16.allstatsin.ru tcp
BG 185.82.216.104:443 server16.allstatsin.ru tcp

Files

memory/1652-1-0x0000000003250000-0x0000000003658000-memory.dmp

memory/1652-2-0x0000000005040000-0x000000000592B000-memory.dmp

memory/1652-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/992-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

memory/992-5-0x0000000002A70000-0x0000000002AA6000-memory.dmp

memory/992-6-0x00000000052A0000-0x00000000058CA000-memory.dmp

memory/992-7-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/992-8-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/992-9-0x0000000005070000-0x0000000005092000-memory.dmp

memory/992-10-0x0000000005110000-0x0000000005176000-memory.dmp

memory/992-11-0x0000000005180000-0x00000000051E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pjc25kzq.mnf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/992-20-0x00000000059D0000-0x0000000005D27000-memory.dmp

memory/992-21-0x0000000005F20000-0x0000000005F3E000-memory.dmp

memory/992-22-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/992-23-0x0000000006EF0000-0x0000000006F36000-memory.dmp

memory/992-24-0x0000000007340000-0x0000000007374000-memory.dmp

memory/992-25-0x0000000070950000-0x000000007099C000-memory.dmp

memory/992-26-0x0000000070B60000-0x0000000070EB7000-memory.dmp

memory/992-35-0x0000000007380000-0x000000000739E000-memory.dmp

memory/992-36-0x00000000073A0000-0x0000000007444000-memory.dmp

memory/992-37-0x0000000007B10000-0x000000000818A000-memory.dmp

memory/992-38-0x00000000074C0000-0x00000000074DA000-memory.dmp

memory/992-40-0x0000000007500000-0x000000000750A000-memory.dmp

memory/1652-39-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/992-41-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/992-42-0x0000000007520000-0x0000000007531000-memory.dmp

memory/992-43-0x0000000007570000-0x000000000757E000-memory.dmp

memory/992-44-0x0000000007580000-0x0000000007595000-memory.dmp

memory/992-45-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/992-46-0x00000000075B0000-0x00000000075B8000-memory.dmp

memory/992-49-0x00000000746E0000-0x0000000074E91000-memory.dmp

memory/1652-51-0x0000000003250000-0x0000000003658000-memory.dmp

memory/2012-60-0x0000000070950000-0x000000007099C000-memory.dmp

memory/2012-61-0x0000000070B60000-0x0000000070EB7000-memory.dmp

memory/2012-70-0x0000000007180000-0x0000000007224000-memory.dmp

memory/2012-71-0x00000000074A0000-0x00000000074B1000-memory.dmp

memory/2012-72-0x00000000074F0000-0x0000000007505000-memory.dmp

memory/1652-74-0x0000000005040000-0x000000000592B000-memory.dmp

memory/1652-73-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4880-75-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/4732-84-0x0000000005B10000-0x0000000005E67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6b144efd2b1bff13e3ba24cf40423c7f
SHA1 3db8c582d7287a1ec771079232cdba7836554fb8
SHA256 b74d490aca9b843ab95b09d809774ba3ea424054184e6f0a5f7da58283c2e616
SHA512 d6b830a9f6cbee420c4a02ba19a33cddbe80adb82e442adeff3edfc892ea26b3d8d98a18e571243d74a099d9bed5108719c2c109982af01d01c11208074e020b

memory/4732-89-0x0000000070950000-0x000000007099C000-memory.dmp

memory/4732-90-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

memory/1652-100-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4b49f40af8ef4488d31b13bb32deac4
SHA1 1a878dc5c06bd57b9133b4269ecd6568b68b4f4e
SHA256 e31bb5f06ad30248a862ead48a99f4da6406faadaee08dd440a79336997fbd60
SHA512 86a965e1c4bd21521312f244284dffbbace0357012910c887751c9299ece8e902d99f1ff2eb6d73d6f55885b4ab8ed8ed56dd67ea33e7fcf466c1f581b087a78

memory/1524-110-0x0000000070950000-0x000000007099C000-memory.dmp

memory/1524-111-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2a2e6034d6068065824b9bf947a4a0d8
SHA1 44fe8d3aff8641ee634b30f44e583269deee61b6
SHA256 96915c5dcdab08c9ae6164fee17da64ee9d27fd5ed729c66e2a182114a7f750f
SHA512 b089d2ed7e05c2839494753f5398c1c3ee86e51c34658eeb1c9e6bcdf2abd41b20ffacd9cdf0f86b325cb0e61fbd682dfc1395d3a87f7b0b23c9e855f3c57658

memory/4880-124-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3f90b77bace632f9fa2ea91e1ec7d875
SHA1 001ce5c3a3dc4ea8e034d6438bbc40873d3848ee
SHA256 a25dc962d00fe1b8ac2954dce985da9c437cfe70d22f87243e9ed17b5f3663a4
SHA512 3597af083aa9e9b7d7c1b905e8a2660091a8d2e908bc8d7cf41cc4b9ea708113bc5963721d6b700a45316fe2cd0300ebb8e4b624e94a66c6e48d8a1cfbb73730

memory/4928-138-0x0000000070950000-0x000000007099C000-memory.dmp

memory/4928-139-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0732480e0c1bf84ed18d1b63d901fa18
SHA1 46127c96f2d6c5b2dbe14cc8bc8165bc231df0a8
SHA256 985156ad650040c88d651295c6705774636ad3a7ca4e3b25baed6d5014faf3a6
SHA512 46dcd67b48c2693dbc9c214f1ef76d764fb185e228abf2de78a13e2e7bba18a6805d69cb1bfcf23cafb4f1292b2bffa1f11dfa6a36904121584e60bf630ae0a8

memory/5072-157-0x0000000005AF0000-0x0000000005E47000-memory.dmp

memory/5072-159-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/5072-160-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/5072-161-0x00000000709F0000-0x0000000070D47000-memory.dmp

memory/5072-170-0x00000000072B0000-0x0000000007354000-memory.dmp

memory/5072-171-0x00000000075E0000-0x00000000075F1000-memory.dmp

memory/5072-172-0x0000000005E70000-0x0000000005E85000-memory.dmp

memory/1948-182-0x0000000005D90000-0x00000000060E7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 138b8875b8fc8f90d5a3bcd4652f7178
SHA1 53da9b5750d865504122bdeeafbc01aa261489b0
SHA256 03a9f831ec7819be7037cb44e7ba4c51eeced168c5a87f095cf840589ae720a1
SHA512 49d5d5d0b2cadb9150dead9bbd5d2e9ff53a030bc155ad8182a9e840637d776d9bd63ab660ecd6ed29a0368fff0e040c7fc0afafe3f57be4e45b1dba790b7119

memory/1948-184-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/1948-185-0x0000000070A10000-0x0000000070D67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2648-201-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4616-205-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3612-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4616-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2648-212-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3612-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2648-215-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-217-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3612-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2648-221-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-224-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-227-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-230-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2648-236-0x0000000000400000-0x0000000002ED5000-memory.dmp