Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-x44gjsda4v
Target e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2
SHA256 e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2
Tags
glupteba dropper evasion loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2

Threat Level: Known bad

The file e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Launches sc.exe

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:25

Reported

2024-04-17 19:28

Platform

win11-20240412-en

Max time kernel

2s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 server2.thestatsfiles.ru udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp
BG 185.82.216.96:443 server2.thestatsfiles.ru tcp

Files

memory/2236-1-0x0000000004F50000-0x0000000005356000-memory.dmp

memory/2236-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/2236-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1184-4-0x0000000002850000-0x0000000002886000-memory.dmp

memory/1184-5-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/1184-6-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/1184-7-0x0000000005230000-0x000000000585A000-memory.dmp

memory/1184-8-0x0000000004E60000-0x0000000004E82000-memory.dmp

memory/1184-9-0x0000000004F00000-0x0000000004F66000-memory.dmp

memory/1184-10-0x0000000004FE0000-0x0000000005046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhu0k3y0.idr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1184-19-0x0000000005860000-0x0000000005BB7000-memory.dmp

memory/1184-20-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/1184-21-0x0000000005D90000-0x0000000005DDC000-memory.dmp

memory/1184-22-0x0000000006300000-0x0000000006346000-memory.dmp

memory/1184-23-0x0000000004BF0000-0x0000000004C00000-memory.dmp

memory/1184-26-0x0000000070110000-0x000000007015C000-memory.dmp

memory/1184-25-0x0000000007170000-0x00000000071A4000-memory.dmp

memory/1184-36-0x0000000007150000-0x000000000716E000-memory.dmp

memory/1184-37-0x00000000071B0000-0x0000000007254000-memory.dmp

memory/1184-27-0x0000000070290000-0x00000000705E7000-memory.dmp

memory/1184-24-0x000000007F070000-0x000000007F080000-memory.dmp

memory/1184-39-0x00000000072D0000-0x00000000072EA000-memory.dmp

memory/1184-38-0x0000000007920000-0x0000000007F9A000-memory.dmp

memory/1184-40-0x0000000007310000-0x000000000731A000-memory.dmp

memory/1184-41-0x0000000007420000-0x00000000074B6000-memory.dmp

memory/1184-42-0x0000000007330000-0x0000000007341000-memory.dmp

memory/1184-43-0x0000000007380000-0x000000000738E000-memory.dmp

memory/1184-44-0x0000000007390000-0x00000000073A5000-memory.dmp

memory/1184-45-0x00000000073E0000-0x00000000073FA000-memory.dmp

memory/1184-47-0x00000000073D0000-0x00000000073D8000-memory.dmp

memory/2236-46-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1184-50-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/1896-53-0x0000000004EA0000-0x00000000052A7000-memory.dmp

memory/2236-52-0x0000000004F50000-0x0000000005356000-memory.dmp

memory/1896-54-0x00000000052B0000-0x0000000005B9B000-memory.dmp

memory/1896-63-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1344-66-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/1344-65-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/1344-64-0x0000000005EF0000-0x0000000006247000-memory.dmp

memory/1344-67-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/2236-68-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1344-69-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/1344-70-0x0000000070110000-0x000000007015C000-memory.dmp

memory/1344-71-0x00000000702B0000-0x0000000070607000-memory.dmp

memory/1344-80-0x00000000075B0000-0x0000000007654000-memory.dmp

memory/1344-81-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/1344-82-0x0000000007930000-0x0000000007945000-memory.dmp

memory/1344-85-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/2772-87-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/2772-89-0x00000000027D0000-0x00000000027E0000-memory.dmp

memory/2772-88-0x00000000027D0000-0x00000000027E0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6ec3e1e817cf951b89bebe928c3680fe
SHA1 8740bfac54ec09f37a660a922510632e4d8b56ef
SHA256 3e088178a12b83933e4408da6b0df844c5db2fc17ce360e3ea4d05959a932c29
SHA512 b6f11129e12df138c523c1c5ed71db541229d6be966af5160fa47382c9dde7ff7659e9652ac36d2513e1d0a219fdca80c37e4e924592a81add3b7eaaf5733c90

memory/2772-100-0x0000000070110000-0x000000007015C000-memory.dmp

memory/2772-101-0x00000000702B0000-0x0000000070607000-memory.dmp

memory/2772-99-0x000000007F0A0000-0x000000007F0B0000-memory.dmp

memory/2772-111-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/1896-113-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1896-122-0x0000000004EA0000-0x00000000052A7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 faba69b74383f490d6f00e55def13b11
SHA1 1fb51044a5fa172721dc94c222fe0320b18c6eb3
SHA256 73e7c355ba45e4b643df8c9ace631504a652a104c85c3931944336d0bb5743f7
SHA512 2c72400cae7e5a0ef33443438395c6907817bafcb7f955c7fae66cf5353bad97bd06ebd3c7c6e817ffb9518d4959c64549f69f1f03aa8d3fb19d85b7a722d7ea

memory/5076-126-0x0000000004970000-0x0000000004980000-memory.dmp

memory/5076-125-0x0000000004970000-0x0000000004980000-memory.dmp

memory/5076-124-0x0000000073EA0000-0x0000000074651000-memory.dmp

memory/5076-127-0x0000000070110000-0x000000007015C000-memory.dmp

memory/5076-128-0x00000000702B0000-0x0000000070607000-memory.dmp

memory/5076-138-0x0000000073EA0000-0x0000000074651000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f7f6ac2ccc26469e414725cf312f8ddb
SHA1 a33fdb1f4f138814663a75684015be0a44b5b237
SHA256 e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2
SHA512 f1e04378eb7a2d0895e0f12616d854254ac8f15c2db35a66fe1339a40ab5802199bd0a7a4b795e9fea660fe414782969d6badbdc14a4e4367b57e384513563c6

memory/1896-142-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-145-0x0000000005200000-0x0000000005600000-memory.dmp

memory/1768-146-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1092-147-0x00000000061C0000-0x0000000006517000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d57fcce888f569ea7463ae30c4edb403
SHA1 d864d61243e53808d7ee1321588d9b8f511032f8
SHA256 2b1729ed18bd621056ea451608d1fc9bd6085c2652ea9aa5d5c2ec1bd65a7c07
SHA512 60b38ffb5264b442eeda7b3f99df90918eb5bfc5e6406bd6e81bc420bda0abe4953b685d0363356cd918f759201ba9631af018573cbadd33d826929c5130ab96

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5844aa5ba80aaed01aab9fb9fddf0420
SHA1 ec8e62dca897f86f3881be75725f0795de9346ae
SHA256 513bcdb293294fe6c8ab5562d1eb938a89559d51914d6f1c09fd7657292c9dc3
SHA512 a7e762a9b87f8226387728cfc609898ec4a749bae550e462a71c3f3282c748563e449082a1d0255ca34e2c358b35cf9378c0c0bd43bc63e6a330277826c01a7d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1ffe0d9e88c5b634e129a5fa586e5a42
SHA1 e960f774c14e61a16ff7ca1634210ef68d030afa
SHA256 53ba83355b531b782f927dbd36bca4ac694f8601b0dc472ece54b12a037c9b16
SHA512 28b28765f4da4169c7d4559279843196a81cd527b03f6879d57591ac00af03a45024105b3904975b5df8466a512491bf4afcd59a490e5ab079bfe06acb4b4d32

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1768-232-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1768-241-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1992-247-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1768-249-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3068-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1768-252-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-255-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-258-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3068-259-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1768-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-264-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-267-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-270-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1768-276-0x0000000000400000-0x000000000310E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:25

Reported

2024-04-17 19:28

Platform

win10v2004-20240412-en

Max time kernel

3s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe

"C:\Users\Admin\AppData\Local\Temp\e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 a64cdf97-c470-444f-85e4-c07db072fb3c.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server15.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
BG 185.82.216.96:443 server15.thestatsfiles.ru tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/2924-1-0x0000000004D40000-0x0000000005148000-memory.dmp

memory/2924-2-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/2924-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2220-4-0x0000000002DD0000-0x0000000002E06000-memory.dmp

memory/2220-5-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/2220-6-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/2220-7-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/2220-8-0x0000000005560000-0x0000000005B88000-memory.dmp

memory/2220-9-0x00000000053C0000-0x00000000053E2000-memory.dmp

memory/2220-10-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/2220-11-0x0000000005C70000-0x0000000005CD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wokf3po.ouq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2220-21-0x0000000005D60000-0x00000000060B4000-memory.dmp

memory/2220-22-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/2220-23-0x0000000006400000-0x000000000644C000-memory.dmp

memory/2220-24-0x0000000006940000-0x0000000006984000-memory.dmp

memory/2220-25-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

memory/2220-26-0x00000000076F0000-0x0000000007766000-memory.dmp

memory/2220-28-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/2220-27-0x0000000007DF0000-0x000000000846A000-memory.dmp

memory/2220-30-0x000000007F160000-0x000000007F170000-memory.dmp

memory/2220-29-0x0000000007940000-0x0000000007972000-memory.dmp

memory/2220-31-0x00000000703B0000-0x00000000703FC000-memory.dmp

memory/2220-32-0x0000000070550000-0x00000000708A4000-memory.dmp

memory/2220-43-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/2220-42-0x0000000007920000-0x000000000793E000-memory.dmp

memory/2220-44-0x0000000007A70000-0x0000000007A7A000-memory.dmp

memory/2220-45-0x0000000007B80000-0x0000000007C16000-memory.dmp

memory/2220-46-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/2220-47-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

memory/2220-48-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

memory/2220-49-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/2220-50-0x0000000007B20000-0x0000000007B28000-memory.dmp

memory/2220-53-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/2924-54-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2924-56-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/4576-58-0x0000000004E30000-0x000000000522B000-memory.dmp

memory/4576-59-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1864-60-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/1864-61-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/1864-62-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1864-72-0x0000000006380000-0x00000000066D4000-memory.dmp

memory/1864-73-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

memory/1864-74-0x0000000002E10000-0x0000000002E20000-memory.dmp

memory/1864-75-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1864-76-0x0000000070630000-0x0000000070984000-memory.dmp

memory/1864-86-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/1864-87-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/1864-88-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/1864-91-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1076-93-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1076-95-0x0000000005860000-0x0000000005BB4000-memory.dmp

memory/1076-96-0x0000000004B70000-0x0000000004B80000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c74eb634f138093136dc19eaaf1debaf
SHA1 ebc3194de381bef1af59806b4a4c7b1541bc5f3a
SHA256 7b95866e329241379687415768d3e36a87a232ba5ce1f0a3501f652dd43f1845
SHA512 698e30a50ae26af39f28c5f490126f4dd373512f8fb3786247559b88f18d418d35c8cbe440b7c0b40a68a7c7e1e133339cf826b87cc2ea7b2913d9721e137fc8

memory/1076-94-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/1076-107-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/4576-109-0x0000000004E30000-0x000000000522B000-memory.dmp

memory/1076-108-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/1076-111-0x000000007FCC0000-0x000000007FCD0000-memory.dmp

memory/1076-110-0x0000000070C50000-0x0000000070FA4000-memory.dmp

memory/1076-122-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4700-123-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad1067bb9731d3503d08148ee1096e1c
SHA1 5554f3a9db57bc989db72bab61e0e7b662a1d208
SHA256 8a8c64b98936b3fd0e638a0efae46064833c352ed51f337c2148af7f90d9884b
SHA512 e67a681b0c8879cdeb7773a2640f8dc9c083876a3c04e329cc53c926362fb9ddf31e733d38aaf052cfa874e09eef0d212005bb37ad8cfe426dd399f12f4619a9

memory/4576-134-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4700-135-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4700-136-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4576-137-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4700-139-0x00000000704B0000-0x00000000704FC000-memory.dmp

memory/4700-138-0x000000007FA70000-0x000000007FA80000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f7f6ac2ccc26469e414725cf312f8ddb
SHA1 a33fdb1f4f138814663a75684015be0a44b5b237
SHA256 e75aec088198dc27a326feeb58a09fa713a66fb279d9efe80e1c6f38631c28b2
SHA512 f1e04378eb7a2d0895e0f12616d854254ac8f15c2db35a66fe1339a40ab5802199bd0a7a4b795e9fea660fe414782969d6badbdc14a4e4367b57e384513563c6

memory/4576-155-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1b731a48c079a10281365fa3cbbaf27
SHA1 a5a67dc693915a2f1103f350fb29bbff056351f4
SHA256 eb3ab1b689ea21a53f9093b84a67a3f6e24e32557c8089a1503c4799c142e2e7
SHA512 c68d7fed2840794bd10a6c5b60f333fe633cc972547f671f6eabcd83d32edd7a080d61fd5c9df8946f66c8150730cf30b0069a701cd814384e28e294526baca3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 90c58a4ab46129ce5bd5b202473d8b57
SHA1 7eb45615ad6b6f3791394bb8c297262334cf56c2
SHA256 b168320cb1295abf1787cb1fbe87dd1c50115bc245f69fd724d1ff37ca0dd915
SHA512 3a3c46a7d8f2ca155abe9bde953b1b3797343f5118ff1b4225ad6dbf36a1f611f3a31703a1468e135d4341ba2cb737f1edb77da6fed9e06ad30065258cbc8ebe

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5567ba6de98448642ba509e5e66ed483
SHA1 299c4e96021a1d54fd01edc3b417745584c3f777
SHA256 ba2d37e198b9e3b8158143a15af31e65b47da2fcdbe76e09839d722598189da7
SHA512 02ec92309138f9e6b611fbbd108def3e3082d7e6ba33ab629ea12fbdc57dec27978f7867a02fa6111b54c7394dfb589d641010eff358f6cc7d5ea2e8e6d1185d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4380-258-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3016-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4380-266-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-267-0x0000000000400000-0x000000000310E000-memory.dmp

memory/860-268-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4380-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-271-0x0000000000400000-0x000000000310E000-memory.dmp

memory/860-272-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4380-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-275-0x0000000000400000-0x000000000310E000-memory.dmp

memory/860-278-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4380-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-279-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-283-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4380-285-0x0000000000400000-0x000000000310E000-memory.dmp