Malware Analysis Report

2025-01-02 06:39

Sample ID 240515-wrdvpada74
Target 62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7
SHA256 62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7
Tags
glupteba dropper evasion execution loader upx discovery persistence rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7

Threat Level: Known bad

The file 62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx discovery persistence rootkit

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:08

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:08

Reported

2024-05-15 18:11

Platform

win11-20240426-en

Max time kernel

6s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 e83264f1-5985-4292-a9ad-86397d530c54.uuid.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server10.alldatadump.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun2.l.google.com udp
BG 185.82.216.108:443 server10.alldatadump.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server10.alldatadump.org tcp
BG 185.82.216.108:443 server10.alldatadump.org tcp
BG 185.82.216.108:443 server10.alldatadump.org tcp

Files

memory/4344-1-0x0000000004A20000-0x0000000004E21000-memory.dmp

memory/4344-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4344-2-0x0000000004E30000-0x000000000571B000-memory.dmp

memory/4696-4-0x000000007405E000-0x000000007405F000-memory.dmp

memory/4696-5-0x0000000002290000-0x00000000022C6000-memory.dmp

memory/4696-7-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4696-6-0x0000000004F50000-0x000000000557A000-memory.dmp

memory/4696-8-0x0000000004BE0000-0x0000000004C02000-memory.dmp

memory/4696-9-0x0000000004E80000-0x0000000004EE6000-memory.dmp

memory/4696-10-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cjhzw5jz.xod.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4696-20-0x00000000055F0000-0x0000000005947000-memory.dmp

memory/4696-19-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4696-21-0x0000000005A80000-0x0000000005A9E000-memory.dmp

memory/4696-22-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/4696-23-0x0000000005ED0000-0x0000000005F16000-memory.dmp

memory/4696-25-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/4696-26-0x0000000070440000-0x0000000070797000-memory.dmp

memory/4696-35-0x0000000006F00000-0x0000000006F1E000-memory.dmp

memory/4696-37-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4696-36-0x0000000006F20000-0x0000000006FC4000-memory.dmp

memory/4696-24-0x0000000006EC0000-0x0000000006EF4000-memory.dmp

memory/4696-38-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4696-40-0x0000000007040000-0x000000000705A000-memory.dmp

memory/4696-39-0x0000000007680000-0x0000000007CFA000-memory.dmp

memory/4696-41-0x0000000007080000-0x000000000708A000-memory.dmp

memory/4696-42-0x0000000007190000-0x0000000007226000-memory.dmp

memory/4696-43-0x00000000070A0000-0x00000000070B1000-memory.dmp

memory/4696-44-0x00000000070F0000-0x00000000070FE000-memory.dmp

memory/4696-45-0x0000000007100000-0x0000000007115000-memory.dmp

memory/4696-46-0x0000000007150000-0x000000000716A000-memory.dmp

memory/4696-47-0x0000000007170000-0x0000000007178000-memory.dmp

memory/4696-50-0x0000000074050000-0x0000000074801000-memory.dmp

memory/4344-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4344-53-0x0000000004A20000-0x0000000004E21000-memory.dmp

memory/1804-62-0x0000000005DA0000-0x00000000060F7000-memory.dmp

memory/1804-64-0x0000000070460000-0x00000000707B7000-memory.dmp

memory/1804-63-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/1804-73-0x0000000007510000-0x00000000075B4000-memory.dmp

memory/1804-74-0x0000000007830000-0x0000000007841000-memory.dmp

memory/1804-75-0x0000000007880000-0x0000000007895000-memory.dmp

memory/4344-78-0x0000000004E30000-0x000000000571B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2808-86-0x0000000005670000-0x00000000059C7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c9e5200c310a0d65721b15ff2bf42162
SHA1 1460bac6040067278974a2b7b02c1c439e29dfcd
SHA256 39c89fbf3535b25fd7adea84d2a0e4f6ab4f9df8a698ba8f044eccecd46e424d
SHA512 44f37783d648034f7b1a123f649156bad26ae664674df5c659246d60755c7ab1c88a4aa0b3ee62e9b8e4a5a27214efc83c525d6552641dfc1d7e949eb4e49dac

memory/2808-91-0x0000000070510000-0x0000000070867000-memory.dmp

memory/2808-90-0x00000000702C0000-0x000000007030C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7f627398bafd69448a8f49567c174385
SHA1 7c284e5d1b234a1687f793781c2de92742c71cb3
SHA256 ab26d72c00f17f9bdd85be7edc699a2bdae67cf7fcb2236e55ed6d796dd59f68
SHA512 6080c9e3703f5c70b242ba6dcad1efe835c1414fda8f04c19dd01e4325fb7a9215f119c2711f4e0870419f65d1f70b717c9117721c508285217dcb3967f26b74

memory/4136-110-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/4136-111-0x0000000070440000-0x0000000070797000-memory.dmp

memory/220-121-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 879254e27447aa757455bfe4811f6da3
SHA1 ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c
SHA256 62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7
SHA512 7a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec

memory/220-126-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4344-129-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0818e53efdf7acbe91eae2f15474b8ef
SHA1 e8476dfae750a607bf9433e803ce87d0bd6c29bf
SHA256 81a9f0d87dc686cc771790f42c9138b07a7438aa496eef76cbee6a19477fddab
SHA512 d91e295c28066359b3c61f602fa94be207aaa3f32b458b89446c189b8124a3d56aebb4bf2e2ca5187ddffb60c47f004a452929143064aeeafc7b8c1ed24de390

memory/3548-139-0x00000000702C0000-0x000000007030C000-memory.dmp

memory/3548-140-0x0000000070460000-0x00000000707B7000-memory.dmp

memory/3572-158-0x0000000005EC0000-0x0000000006217000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb8261fe9a13df309c9ec6c889811bf4
SHA1 25cdcd4b6c34343bbd0b603e9789219ea4dbb976
SHA256 bc0551904893c0ad0135fbec6fb180576424283ceb1d2ed01b41510199ff08ed
SHA512 6e5be8a887035dafa4022a276c952f42c181588d8b2f3a480340a39d5aa1b75a8364df9946966331fd3d14db5f0abe0034a374cc1034a60a676e148065d63618

memory/3572-160-0x00000000063D0000-0x000000000641C000-memory.dmp

memory/3572-161-0x00000000701E0000-0x000000007022C000-memory.dmp

memory/3572-162-0x0000000070360000-0x00000000706B7000-memory.dmp

memory/3572-172-0x00000000075D0000-0x0000000007674000-memory.dmp

memory/3572-173-0x0000000007940000-0x0000000007951000-memory.dmp

memory/3572-174-0x0000000005D30000-0x0000000005D45000-memory.dmp

memory/4952-184-0x00000000062B0000-0x0000000006607000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3176fb158f83c0db428496a14cf86712
SHA1 e0a49d2dedf111ff1dff73c293f6b28d4e47ede6
SHA256 db4a5034b5628d550a37f538f6cd4a0eea89730eeaca751eb039dc4b2a556ccf
SHA512 99984d1ae83ca5826ad2114e72ea4a893e609a88a845a38f3bee2c9c3a8cca9393911d8f72cc19895845a67545866961cc773492b270c6c7a4af32b94d151cc0

memory/4952-186-0x00000000701E0000-0x000000007022C000-memory.dmp

memory/4952-187-0x0000000070410000-0x0000000070767000-memory.dmp

memory/3784-196-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2052-208-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3716-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2052-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-204-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3716-216-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-218-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-221-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3716-222-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3784-224-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-227-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/3784-242-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:08

Reported

2024-05-15 18:11

Platform

win10v2004-20240426-en

Max time kernel

45s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3444 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\rss\csrss.exe
PID 3988 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\rss\csrss.exe
PID 3988 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe C:\Windows\rss\csrss.exe
PID 4936 wrote to memory of 1364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1364 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 2652 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 3408 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4936 wrote to memory of 1496 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe

"C:\Users\Admin\AppData\Local\Temp\62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 b2da4e26-5f5e-49cf-a47b-b413a62eb3db.uuid.alldatadump.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server16.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.250.129:19302 stun.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server16.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server16.alldatadump.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BG 185.82.216.108:443 server16.alldatadump.org tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/4976-1-0x00000000047A0000-0x0000000004B9F000-memory.dmp

memory/4976-2-0x0000000004BA0000-0x000000000548B000-memory.dmp

memory/4976-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1388-4-0x000000007402E000-0x000000007402F000-memory.dmp

memory/1388-5-0x0000000002E90000-0x0000000002EC6000-memory.dmp

memory/1388-7-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/1388-6-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/1388-8-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/1388-9-0x00000000055B0000-0x00000000055D2000-memory.dmp

memory/1388-11-0x0000000005E00000-0x0000000005E66000-memory.dmp

memory/1388-10-0x0000000005D90000-0x0000000005DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aya3ip4h.4bq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1388-21-0x0000000005E70000-0x00000000061C4000-memory.dmp

memory/1388-22-0x0000000006460000-0x000000000647E000-memory.dmp

memory/1388-23-0x00000000064A0000-0x00000000064EC000-memory.dmp

memory/1388-24-0x00000000069A0000-0x00000000069E4000-memory.dmp

memory/1388-25-0x00000000077A0000-0x0000000007816000-memory.dmp

memory/1388-27-0x0000000007820000-0x000000000783A000-memory.dmp

memory/1388-26-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/1388-30-0x000000006FEC0000-0x000000006FF0C000-memory.dmp

memory/1388-31-0x0000000070040000-0x0000000070394000-memory.dmp

memory/1388-29-0x00000000079E0000-0x0000000007A12000-memory.dmp

memory/1388-41-0x0000000007A20000-0x0000000007A3E000-memory.dmp

memory/1388-42-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/1388-43-0x0000000007A40000-0x0000000007AE3000-memory.dmp

memory/1388-44-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/1388-45-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4976-28-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1388-46-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/1388-47-0x0000000007B40000-0x0000000007B51000-memory.dmp

memory/1388-48-0x0000000007B80000-0x0000000007B8E000-memory.dmp

memory/1388-49-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

memory/1388-51-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

memory/1388-50-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

memory/1388-54-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/4976-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4976-58-0x0000000004BA0000-0x000000000548B000-memory.dmp

memory/4976-56-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4760-68-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/4760-69-0x0000000005DE0000-0x0000000005E2C000-memory.dmp

memory/4760-71-0x0000000070140000-0x0000000070494000-memory.dmp

memory/4760-70-0x000000006FFC0000-0x000000007000C000-memory.dmp

memory/4760-81-0x0000000006F90000-0x0000000007033000-memory.dmp

memory/4760-82-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/4760-83-0x00000000072F0000-0x0000000007304000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eca74b72e2a03c21a5e1279590de5ed5
SHA1 87743b1a3ab7101b52a1f0a8af452d21106d270d
SHA256 8140d10fcf211ab6b0f97f18eb137cf1bc55579b796c397ab1f45edcb4f720ca
SHA512 418989140fbd8df9f64ab9323590418745dfe430dd1e4a8df8b20fc02b84b849b22e579413de4cdf083311fd69bdd21b17d4b93abdcf0e5dd06791edf34e3438

memory/1196-98-0x0000000070140000-0x0000000070494000-memory.dmp

memory/1196-97-0x000000006FFC0000-0x000000007000C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1a31cd98d238319225969fce7e643b7e
SHA1 2248e9b5e5b972981b0eb42df63509b74d373c09
SHA256 53fcc5474439bec89343d3ee5079d8f5c62685617138a4730fe8ad40b9dc939c
SHA512 7483738fd164e123b177cf872f5441507b10e38326171b7c30a1078b8a86afbc86960d336d576aa19f3f19877194b781da2ea0c54bbff7d6bad8d24490417ee3

memory/3408-118-0x0000000005E80000-0x00000000061D4000-memory.dmp

memory/3408-121-0x0000000070160000-0x00000000704B4000-memory.dmp

memory/3408-120-0x000000006FFC0000-0x000000007000C000-memory.dmp

memory/3988-131-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 879254e27447aa757455bfe4811f6da3
SHA1 ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c
SHA256 62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7
SHA512 7a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec

memory/1364-143-0x00000000062C0000-0x0000000006614000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ffdd6647fa8ca17baf79f85e2a6c85a
SHA1 897808b811be0a978791e7d350f44e20982e6848
SHA256 d6b0c0a930b01beb1eaf2ccd1ab45deaf3ed7414cc443baf6a3a84fc9a771f6d
SHA512 b033084d3438a03be4bec7d5032b47fca2dbaeb099c501ac03ea4f493a03b9eddba82c2ceb24c21f887efee64803b7c164863b12d1c2112be706f9bd1d9b8767

memory/1364-149-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

memory/1364-151-0x00000000706E0000-0x0000000070A34000-memory.dmp

memory/1364-150-0x000000006FF20000-0x000000006FF6C000-memory.dmp

memory/1364-161-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/1364-162-0x0000000007ED0000-0x0000000007EE1000-memory.dmp

memory/1364-163-0x0000000006750000-0x0000000006764000-memory.dmp

memory/2652-174-0x0000000005710000-0x0000000005A64000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c03af6bac6219c7d5a061981a466f777
SHA1 46977b00f83339a465481682a58a05bd4e59f82e
SHA256 f78921b9dcc603e47249a969cd936fe5ad7ea4d634ff905534c0da71964bd0ad
SHA512 961a9a00d2835499a03dcae37801c382e13b17ce0cbaeda9330ba9af8bacdf872cbdff1b646a6b57495fb2f7437a021a2e3ac8714aa7700bad14444aa73f6709

memory/2652-176-0x0000000005E20000-0x0000000005E6C000-memory.dmp

memory/2652-189-0x0000000007000000-0x00000000070A3000-memory.dmp

memory/3988-177-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2652-179-0x0000000070000000-0x0000000070354000-memory.dmp

memory/2652-178-0x000000006FE40000-0x000000006FE8C000-memory.dmp

memory/2652-190-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/2652-191-0x0000000005B90000-0x0000000005BA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a2dba6324a3bd28c630081c4a7d94128
SHA1 5c98a59db97747c61ce8cb417e70555cc0fc65df
SHA256 5b3737c648b400b7befc3816ddf10294279689bf175da7ca37f5b19f8ec22634
SHA512 7249ab6cd989cf44e30e1b90dc1c815157bb3ac9bb8ed7d9c42c9155ed774c00a9ef1ad4f301f763cd1d9033e19d2659ee525d20248027f22a63509071580a88

memory/3408-202-0x00000000056D0000-0x0000000005A24000-memory.dmp

memory/3408-205-0x0000000070250000-0x00000000705A4000-memory.dmp

memory/3408-204-0x000000006FE40000-0x000000006FE8C000-memory.dmp

memory/4936-216-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2324-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/2324-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5032-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-234-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5032-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-237-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/5032-241-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4936-240-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-243-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-252-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-255-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-258-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4936-261-0x0000000000400000-0x0000000002B0B000-memory.dmp