Malware Analysis Report

2025-06-16 06:22

Sample ID 231005-qnyg2adb98
Target 7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c
SHA256 7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c
Tags
glupteba discovery dropper evasion loader persistence rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c

Threat Level: Known bad

The file 7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Glupteba payload

Glupteba

Windows security bypass

Modifies Windows Firewall

UPX packed file

Windows security modification

Executes dropped EXE

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-05 13:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-05 13:25

Reported

2023-10-05 13:27

Platform

win10-20230915-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2445638973-2158012892-84912826-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 608 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\System32\cmd.exe
PID 2880 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 2400 wrote to memory of 984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\rss\csrss.exe
PID 2880 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\rss\csrss.exe
PID 2880 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe C:\Windows\rss\csrss.exe
PID 4804 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4556 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 2180 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 4416 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 3116 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 4804 wrote to memory of 3116 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3720 wrote to memory of 1356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 1356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 1356 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1356 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1356 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe

"C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe

"C:\Users\Admin\AppData\Local\Temp\7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 d1b72cd2-cf31-4eca-8491-61efcadc4e70.uuid.cdntokiog.studio udp
US 8.8.8.8:53 server12.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server12.cdntokiog.studio tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 186.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

memory/608-1-0x0000000004C60000-0x0000000005068000-memory.dmp

memory/608-2-0x0000000005070000-0x000000000595B000-memory.dmp

memory/608-3-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/1144-6-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/1144-7-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/1144-8-0x0000000004C20000-0x0000000004C56000-memory.dmp

memory/1144-9-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/1144-10-0x00000000073B0000-0x00000000079D8000-memory.dmp

memory/608-11-0x0000000004C60000-0x0000000005068000-memory.dmp

memory/1144-12-0x0000000007320000-0x0000000007342000-memory.dmp

memory/1144-13-0x0000000007A50000-0x0000000007AB6000-memory.dmp

memory/1144-15-0x0000000007AC0000-0x0000000007B26000-memory.dmp

memory/1144-16-0x0000000007CA0000-0x0000000007FF0000-memory.dmp

memory/608-14-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/608-17-0x0000000005070000-0x000000000595B000-memory.dmp

memory/1144-18-0x0000000007B80000-0x0000000007B9C000-memory.dmp

memory/1144-19-0x0000000008640000-0x000000000868B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsqq5pxw.a5i.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1144-38-0x0000000008690000-0x00000000086CC000-memory.dmp

memory/1144-69-0x00000000091F0000-0x0000000009266000-memory.dmp

memory/1144-72-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/1144-77-0x000000000A060000-0x000000000A093000-memory.dmp

memory/1144-78-0x0000000070940000-0x000000007098B000-memory.dmp

memory/1144-79-0x0000000070990000-0x0000000070CE0000-memory.dmp

memory/1144-80-0x000000000A040000-0x000000000A05E000-memory.dmp

memory/1144-85-0x000000000A0A0000-0x000000000A145000-memory.dmp

memory/1144-86-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/1144-87-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/1144-88-0x000000000A2C0000-0x000000000A354000-memory.dmp

memory/1144-281-0x0000000008590000-0x00000000085AA000-memory.dmp

memory/1144-286-0x0000000008580000-0x0000000008588000-memory.dmp

memory/608-295-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/1144-305-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/608-306-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/2880-308-0x0000000004B90000-0x0000000004F8D000-memory.dmp

memory/2880-309-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4036-312-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/4036-313-0x00000000064F0000-0x0000000006500000-memory.dmp

memory/4036-314-0x0000000007430000-0x0000000007780000-memory.dmp

memory/4036-315-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

memory/2880-332-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4036-336-0x000000007E500000-0x000000007E510000-memory.dmp

memory/4036-338-0x0000000070AB0000-0x0000000070E00000-memory.dmp

memory/2880-337-0x0000000004B90000-0x0000000004F8D000-memory.dmp

memory/4036-335-0x0000000070A60000-0x0000000070AAB000-memory.dmp

memory/4036-343-0x0000000008E40000-0x0000000008EE5000-memory.dmp

memory/4036-344-0x00000000064F0000-0x0000000006500000-memory.dmp

memory/4036-439-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/4036-463-0x00000000064F0000-0x0000000006500000-memory.dmp

memory/4036-560-0x0000000073D30000-0x000000007441E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

memory/4624-564-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/4624-565-0x00000000047A0000-0x00000000047B0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1df27e6a221fee13916a25e72787948
SHA1 0ecd615fa80a27426110744452c09ea140a4fc70
SHA256 2a6f8daba8cbb3795f99f27a1d9aceda0c9230de6ed9fece1bcc5710c5f8b202
SHA512 676b0465411b6e5cdbf0b3b11f3254614417e086ef776383a0a281ee611f1bb6dc6f9b254efd5f8b6651d739eab7d3da08c82f9c85fd7d63d7c73a9cd7410e1b

memory/2880-569-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4624-586-0x000000007E9C0000-0x000000007E9D0000-memory.dmp

memory/4624-587-0x0000000070A60000-0x0000000070AAB000-memory.dmp

memory/4624-588-0x0000000070AB0000-0x0000000070E00000-memory.dmp

memory/4624-593-0x00000000047A0000-0x00000000047B0000-memory.dmp

memory/4624-806-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/3144-808-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/3144-810-0x0000000007290000-0x00000000072A0000-memory.dmp

memory/3144-811-0x0000000007290000-0x00000000072A0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0deb8b9983e16424957561b8ca8a8611
SHA1 95df285cec9c571a6bdb4d34dfb04f152d762db4
SHA256 457f3e3e47c8d56f393083f8ea02f2bbf6690e57eae11eac00bd73daba5e0b36
SHA512 2c3c755d9ed55fe1c13c5ed294173a2cc20df1faefdf5d70361b340d0111da432f5026fab409777e91995a6ad5c2d6fc3e407b2f3642b1d6e358ebf91b5fdbb2

memory/3144-831-0x0000000070A60000-0x0000000070AAB000-memory.dmp

memory/3144-832-0x0000000070AB0000-0x0000000070E00000-memory.dmp

memory/2880-837-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/3144-840-0x0000000007290000-0x00000000072A0000-memory.dmp

memory/3144-961-0x0000000073D30000-0x000000007441E000-memory.dmp

memory/3144-1052-0x0000000073D30000-0x000000007441E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b1b5d6204253f7d60330b4146365ef5a
SHA1 074e5e4894812ffc17a2a2ab5a44ceea266dcf78
SHA256 7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c
SHA512 64834d5b2574ef3089eadfb7ca1a803391d705be7237e13837ac6a9d894893fefbdde6914a997a538e2a79a541916096886e23d53b22244238d238d4720fdac8

C:\Windows\rss\csrss.exe

MD5 b1b5d6204253f7d60330b4146365ef5a
SHA1 074e5e4894812ffc17a2a2ab5a44ceea266dcf78
SHA256 7a76874f931ff8c8874c4dd511426057ef6fd3541829080a4454b2c5ca1b876c
SHA512 64834d5b2574ef3089eadfb7ca1a803391d705be7237e13837ac6a9d894893fefbdde6914a997a538e2a79a541916096886e23d53b22244238d238d4720fdac8

memory/2880-1057-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4804-1059-0x0000000005100000-0x00000000054F9000-memory.dmp

memory/4804-1060-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4556-1063-0x0000000073C90000-0x000000007437E000-memory.dmp

memory/4556-1064-0x0000000006900000-0x0000000006910000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6a53ac1983c066a828400b84e71e039c
SHA1 662441c60408f5f2c0deb27e291ac72344a8f9f6
SHA256 dac6ac8df2073281ce72a50cca8841834e81c9c86a1cd534f4cdd9be7a300b96
SHA512 40f52e06228a54d850437c715cd491c8c85349d43b7bbe2cd4c234ed111fb38cfbe838605fbdfc1382cdc2b5f6503af79ceb8ca6944ae41b2cb04bd945c70583

memory/4804-1097-0x0000000000400000-0x0000000002FB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7a75e89665c3c7a37ade89ff7ad6187b
SHA1 f58b04ab317aa872aed21358fe0fb0f0a7b4251b
SHA256 a6d52b27913ab578e2b250e4cfd9d1ca1dbc21bd99a8ef829aaf81a047896cf9
SHA512 38654ebf2ef3c56e51eca9f3b3b384b77f78cce91e48087521435b3cd05e441654cf2197c28f919a6c8976543e9bc4a06686b4ed308842f67b6e01b95285c353

memory/4804-1414-0x0000000000400000-0x0000000002FB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bff4f5b1778b9505881f84657222ea66
SHA1 aca7e09fe031a6897032d17b11f78865fdb0ea4b
SHA256 aa6d0e43e24b8d904e3fb7ee15790495576f9a44d77d23515969949c24f29b9b
SHA512 39bddf312a5413927fe11f75b799e4af23ac98243d0470cf5f8df3947013448f61b9a507a8c963645b8084e6bd326f91d08fe0ddb3bc05b6abcc82a78c8c74cd

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4804-1809-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4804-1810-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4804-1811-0x0000000000400000-0x0000000002FB7000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3720-1818-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4804-1819-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/2012-1820-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4804-1821-0x0000000000400000-0x0000000002FB7000-memory.dmp

memory/4804-1823-0x0000000000400000-0x0000000002FB7000-memory.dmp