Jump to content

Powershell run an executable which that is executed csrss and wininit

Recommended Posts

I was analysing a machine which I find out a malicious or at least unusul activity. There is a powershell.exe process which is parnet of a conhost.exe process. In the further analysis, I find out this conhost.exe process was parent of csrss and wininit processes. So I wanted to know, this activity can be malicious? if yes, how can I find out more information about these process? I have a memory dump from that machine and also volatility tool for analysis. 

Link to post
Share on other sites

Hello, @tlightning  :welcome:
I can guide you to see if there is an actual malware infection. I do have some first questions:

  • Is this your machine ?
  • Do you have direct physical access to it ?
  • Windows version is ?
  • Is this machine a home-user type ? ( as opposed to say, a corporate or organization machine ? )
  • Have you scanned the system with Malwarebytes ?
  • Have you scanned with antivirus ? Microsoft Defender for example.

Please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.