Malware Analysis Report

2025-08-10 17:21

Sample ID 240417-xsy3pabb73
Target 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
SHA256 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
Tags
glupteba dropper evasion loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0

Threat Level: Known bad

The file 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 19:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:11

Platform

win10v2004-20240412-en

Max time kernel

183s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\system32\cmd.exe
PID 4176 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4176 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3676 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 60.166.213.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.107.129:443 www.bing.com tcp
US 8.8.8.8:53 129.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/3472-1-0x0000000004D50000-0x000000000514C000-memory.dmp

memory/3472-2-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/3472-3-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3472-4-0x0000000000400000-0x000000000310E000-memory.dmp

memory/224-5-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/224-6-0x0000000002B20000-0x0000000002B56000-memory.dmp

memory/224-7-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/224-9-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/224-8-0x0000000005240000-0x0000000005868000-memory.dmp

memory/224-10-0x0000000005140000-0x0000000005162000-memory.dmp

memory/224-11-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/224-12-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxcr32pj.00a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3472-18-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3472-19-0x0000000004D50000-0x000000000514C000-memory.dmp

memory/3472-20-0x0000000005150000-0x0000000005A3B000-memory.dmp

memory/224-25-0x0000000005C90000-0x0000000005FE4000-memory.dmp

memory/224-26-0x0000000006400000-0x000000000641E000-memory.dmp

memory/224-28-0x0000000006420000-0x000000000646C000-memory.dmp

memory/224-29-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/224-30-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/224-32-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/224-33-0x0000000006980000-0x00000000069C4000-memory.dmp

memory/224-34-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/224-35-0x0000000007680000-0x00000000076F6000-memory.dmp

memory/3472-36-0x0000000000400000-0x000000000310E000-memory.dmp

memory/224-37-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/224-38-0x0000000007720000-0x000000000773A000-memory.dmp

memory/224-41-0x00000000078E0000-0x0000000007912000-memory.dmp

memory/224-42-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/224-43-0x0000000070470000-0x00000000707C4000-memory.dmp

memory/224-53-0x00000000078C0000-0x00000000078DE000-memory.dmp

memory/224-54-0x0000000007920000-0x00000000079C3000-memory.dmp

memory/224-55-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/224-56-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/3472-57-0x0000000000400000-0x000000000310E000-memory.dmp

memory/224-59-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/224-60-0x00000000077B0000-0x00000000077C1000-memory.dmp

memory/224-65-0x00000000077E0000-0x00000000077EE000-memory.dmp

memory/224-66-0x0000000007A20000-0x0000000007A34000-memory.dmp

memory/224-67-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/224-68-0x0000000007A90000-0x0000000007A98000-memory.dmp

memory/224-71-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3676-73-0x0000000004D10000-0x000000000510B000-memory.dmp

memory/3676-74-0x0000000005110000-0x00000000059FB000-memory.dmp

memory/3676-75-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1092-76-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/1092-77-0x0000000005FD0000-0x0000000006324000-memory.dmp

memory/3472-87-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1092-88-0x0000000002C50000-0x0000000002C60000-memory.dmp

memory/1092-89-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/1092-90-0x0000000070A50000-0x0000000070DA4000-memory.dmp

memory/1092-100-0x0000000007810000-0x00000000078B3000-memory.dmp

memory/1092-101-0x0000000007B30000-0x0000000007B41000-memory.dmp

memory/3676-102-0x0000000000400000-0x000000000310E000-memory.dmp

memory/1092-104-0x0000000007B80000-0x0000000007B94000-memory.dmp

memory/1092-107-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3676-108-0x0000000004D10000-0x000000000510B000-memory.dmp

memory/3676-109-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/472-112-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/472-111-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/472-113-0x00000000024B0000-0x00000000024C0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a4982d32a3ca38343d43169532cb8d75
SHA1 fc4ec5996220ccefbd4ad8e1db89715240777be3
SHA256 9ab381714df549e4934fde8a44a3d85f55c8e951e01c4b5454845f901176c005
SHA512 233af13709428eb883faccb55da2505d04a82b87b481a5107ea32e1e004919f2e46035a6067e86f04f796692817ff4a30c949ce2339700ba242564f19d929278

memory/3676-124-0x0000000000400000-0x000000000310E000-memory.dmp

memory/472-125-0x00000000024B0000-0x00000000024C0000-memory.dmp

memory/472-127-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

memory/472-128-0x00000000702D0000-0x000000007031C000-memory.dmp

memory/472-129-0x0000000070A50000-0x0000000070DA4000-memory.dmp

memory/472-140-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3676-141-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3464-142-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/3464-143-0x0000000005180000-0x0000000005190000-memory.dmp

memory/3464-144-0x0000000005180000-0x0000000005190000-memory.dmp

memory/3464-151-0x00000000060F0000-0x0000000006444000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f69305103db671231c69635575cc8bf2
SHA1 8cfae1ba0b4045013f60c01ce53bdf7385e9ebef
SHA256 697b35215accf0a7faeb66359e6f85ba91562757320ffe82627326fe571e9bc7
SHA512 683af2ef7c16ee4b7acd696cffcfb652cdf5741c478a3f13da0d61f2a2a89c46a69eb277d8097b4eb3ccf89bb1c9c399064cd32a996542e89c4b3d93e7b4cf43

C:\Windows\rss\csrss.exe

MD5 865849b49fa70dafff6110ff8e6491cc
SHA1 c9d69fb29145b3ecb6ca79e37b17b43c3110869a
SHA256 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
SHA512 efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48

memory/3676-178-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 03028d324173584ee65bdb549194084e
SHA1 f32b29d0f35cd2d04d4f751eb8733631db7601b9
SHA256 d4e63e404c173be47ecff6ea7580563e69fe3fc607bd81f0f423c0c11e218371
SHA512 0f0f09ed37af3d4277a6e9fd3486c3228ed2b93ca3183d507c65d49e9b4c7aca6a11bd6b0ccbc0f08fe26b72b4071500e5f788a9ce1d55e7b5ece1c3c72fdc81

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 19:07

Reported

2024-04-17 19:10

Platform

win11-20240412-en

Max time kernel

1s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe

"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0f8ebed-264b-45d9-bed1-ac18e53e89db.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 server3.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.108:443 server3.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server3.databaseupgrade.ru tcp
BG 185.82.216.108:443 server3.databaseupgrade.ru tcp

Files

memory/3612-1-0x0000000004F50000-0x0000000005357000-memory.dmp

memory/3612-2-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3612-3-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/3732-4-0x00000000046B0000-0x00000000046E6000-memory.dmp

memory/3732-5-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/3732-8-0x0000000004770000-0x0000000004780000-memory.dmp

memory/3732-7-0x0000000004DB0000-0x00000000053DA000-memory.dmp

memory/3732-6-0x0000000004770000-0x0000000004780000-memory.dmp

memory/3732-9-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/3732-10-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/3732-11-0x0000000005560000-0x00000000055C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_no5hbwcy.m0s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3732-20-0x0000000005650000-0x00000000059A7000-memory.dmp

memory/3732-21-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/3732-22-0x0000000005C10000-0x0000000005C5C000-memory.dmp

memory/3732-23-0x00000000060F0000-0x0000000006136000-memory.dmp

memory/3732-36-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

memory/3732-38-0x0000000004770000-0x0000000004780000-memory.dmp

memory/3732-37-0x0000000007000000-0x00000000070A4000-memory.dmp

memory/3732-27-0x00000000702F0000-0x0000000070647000-memory.dmp

memory/3732-26-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/3732-40-0x0000000007130000-0x000000000714A000-memory.dmp

memory/3732-39-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/3732-41-0x0000000007170000-0x000000000717A000-memory.dmp

memory/3732-25-0x0000000006FA0000-0x0000000006FD4000-memory.dmp

memory/3732-42-0x0000000007280000-0x0000000007316000-memory.dmp

memory/3732-43-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/3732-24-0x000000007EF90000-0x000000007EFA0000-memory.dmp

memory/3732-44-0x00000000071E0000-0x00000000071EE000-memory.dmp

memory/3732-45-0x00000000071F0000-0x0000000007205000-memory.dmp

memory/3732-46-0x0000000007240000-0x000000000725A000-memory.dmp

memory/3732-47-0x0000000007260000-0x0000000007268000-memory.dmp

memory/3732-50-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/1932-52-0x0000000004E50000-0x000000000524B000-memory.dmp

memory/3184-58-0x0000000006160000-0x00000000064B7000-memory.dmp

memory/1932-62-0x0000000000400000-0x000000000310E000-memory.dmp

memory/3184-63-0x0000000003130000-0x0000000003140000-memory.dmp

memory/3184-64-0x0000000003130000-0x0000000003140000-memory.dmp

memory/3184-65-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/3184-66-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/3184-67-0x0000000070380000-0x00000000706D7000-memory.dmp

memory/3612-77-0x0000000004F50000-0x0000000005357000-memory.dmp

memory/3184-78-0x0000000003130000-0x0000000003140000-memory.dmp

memory/3184-76-0x0000000007890000-0x0000000007934000-memory.dmp

memory/3184-79-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

memory/3184-80-0x0000000007C30000-0x0000000007C45000-memory.dmp

memory/3184-83-0x0000000073F00000-0x00000000746B1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 38dbf7dbb3278921f4a5446f68aa99e5
SHA1 7db5c41e13fc4dd19dfa652ed95bac547ba462de
SHA256 cd6ee0734fc2fceeda198578495c3ce068ac6e8c8530d38822677ebbf9441814
SHA512 435d3db24b80bf19a0fadd754eadb19cff6c47f24926ee32b6971b2f56d74d16116b79ba64228497181a1819d945f43424c6ac84e4ebff778923538d0bc5ad5e

memory/3612-94-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2480-96-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2480-97-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2480-95-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/2480-99-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/2480-100-0x00000000702F0000-0x0000000070647000-memory.dmp

memory/2480-110-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2480-109-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2480-98-0x000000007F450000-0x000000007F460000-memory.dmp

memory/4728-114-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/1932-115-0x0000000004E50000-0x000000000524B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 411e50ac7a160e451e7cdefa91d2c92c
SHA1 47d4c00eeb02f2a5521ce5c9a54ae199aa1dd304
SHA256 029c2c4a387463a51d5aef6e9a38e4fc2e362c07100501fb0b1719fb4487d18d
SHA512 2aa69ec47e50d00502eea1d5952bef86bd7f6c9586f5cacca63bf9a1cb69f0ae3ac6a743d576378360c88042ad36239d8783b0cec37e35deb4ec39d3eb67ac49

memory/4728-113-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/2480-112-0x0000000073F00000-0x00000000746B1000-memory.dmp

memory/1932-125-0x0000000000400000-0x000000000310E000-memory.dmp

memory/4728-128-0x00000000702F0000-0x0000000070647000-memory.dmp

memory/4728-127-0x0000000070170000-0x00000000701BC000-memory.dmp

memory/4728-138-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4728-137-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 865849b49fa70dafff6110ff8e6491cc
SHA1 c9d69fb29145b3ecb6ca79e37b17b43c3110869a
SHA256 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
SHA512 efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 499b3517e8e47921a22d1585b5dba342
SHA1 57a29f41b747bfb64eb4e669880a23cf7ce24374
SHA256 96956c7a1de3f550343037b943c4a08cdbb247ce309a4501ddf787224f5b0e7c
SHA512 3a58178eaefe52d05eb686808ae8de12c045dc0feaf1237e956a86833410c9df3cca7643bf6971e922ea9c734471a46a9e8726cf4c8ba70b8e477dfeec3513dd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eaf8592db0ce8b2cea30a085d83589dd
SHA1 3de682b4a78247868d7702c7e43b9560cf411992
SHA256 bead49ef134ce4c300e7999bc458765d77e9486acc7cadcacfa13f41e3aba826
SHA512 00ca4bce77331539ebe34dfc8f76753b1a3f44d9a1a2b079f309877ff313583a9caebe09b7cc6d924d8c0bd5c33d30d84dae2e29eadf3c42fa7905f14308f5c1

memory/1932-208-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 37981230522422bdbe23e02698105b83
SHA1 409a89517a54559d657aff43c0ce78e99729fb5d
SHA256 dde991df32541e2db97caedf0cf45c60da5a1e10b629aca4b27f336ac409c523
SHA512 d8eaa3c8efe5ca2dbae3f5260cc70a87489336ef990f460a6f6de2344b4ebf87fa3069f37cbb0266c034bf7accc45d8805e33d7b5a5faa662c3856874a2fdc63

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2548-242-0x0000000000400000-0x000000000310E000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/956-251-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2548-253-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2708-256-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2548-257-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-261-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2708-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2548-265-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-269-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-273-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2708-276-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2548-277-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-281-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-285-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-289-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-293-0x0000000000400000-0x000000000310E000-memory.dmp

memory/2548-297-0x0000000000400000-0x000000000310E000-memory.dmp