Malware Analysis Report

2025-08-10 17:22

Sample ID 240417-ys5e5sch44
Target 4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
SHA256 4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
Tags
glupteba dropper evasion loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6

Threat Level: Known bad

The file 4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx

Glupteba payload

Glupteba

Modifies Windows Firewall

UPX packed file

Launches sc.exe

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 20:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 20:03

Reported

2024-04-17 20:06

Platform

win10v2004-20240412-en

Max time kernel

1s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4720424c-e617-47ff-9c88-2e0663463a08.uuid.statsexplorer.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server8.statsexplorer.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server8.statsexplorer.org tcp
BG 185.82.216.108:443 server8.statsexplorer.org tcp

Files

memory/4884-1-0x0000000004E60000-0x000000000525F000-memory.dmp

memory/4884-2-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/4884-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2820-4-0x0000000004A60000-0x0000000004A96000-memory.dmp

memory/2820-5-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2820-7-0x0000000002970000-0x0000000002980000-memory.dmp

memory/2820-6-0x0000000002970000-0x0000000002980000-memory.dmp

memory/2820-8-0x00000000050D0000-0x00000000056F8000-memory.dmp

memory/2820-9-0x0000000005050000-0x0000000005072000-memory.dmp

memory/2820-11-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0q2dzgda.vlg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2820-21-0x00000000059D0000-0x0000000005D24000-memory.dmp

memory/2820-10-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/2820-22-0x0000000006030000-0x000000000604E000-memory.dmp

memory/2820-23-0x0000000006070000-0x00000000060BC000-memory.dmp

memory/2820-24-0x00000000065B0000-0x00000000065F4000-memory.dmp

memory/2820-25-0x0000000007340000-0x00000000073B6000-memory.dmp

memory/2820-27-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/2820-26-0x0000000007A40000-0x00000000080BA000-memory.dmp

memory/2820-29-0x00000000075B0000-0x00000000075E2000-memory.dmp

memory/2820-42-0x0000000002970000-0x0000000002980000-memory.dmp

memory/2820-44-0x0000000007700000-0x000000000770A000-memory.dmp

memory/2820-43-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/2820-41-0x00000000075F0000-0x000000000760E000-memory.dmp

memory/2820-31-0x00000000707A0000-0x0000000070AF4000-memory.dmp

memory/2820-30-0x0000000070600000-0x000000007064C000-memory.dmp

memory/2820-28-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

memory/2820-45-0x0000000007810000-0x00000000078A6000-memory.dmp

memory/2820-46-0x0000000007710000-0x0000000007721000-memory.dmp

memory/2820-47-0x0000000007750000-0x000000000775E000-memory.dmp

memory/2820-49-0x00000000077C0000-0x00000000077DA000-memory.dmp

memory/2820-50-0x00000000077B0000-0x00000000077B8000-memory.dmp

memory/2820-48-0x0000000007770000-0x0000000007784000-memory.dmp

memory/2820-53-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2516-56-0x0000000005240000-0x0000000005B2B000-memory.dmp

memory/2516-55-0x0000000004E30000-0x0000000005236000-memory.dmp

memory/4884-57-0x0000000004E60000-0x000000000525F000-memory.dmp

memory/3536-63-0x0000000005670000-0x00000000059C4000-memory.dmp

memory/2516-68-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3536-69-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/3536-70-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/3536-72-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/4884-71-0x0000000005260000-0x0000000005B4B000-memory.dmp

memory/3536-74-0x0000000070D80000-0x00000000710D4000-memory.dmp

memory/3536-84-0x0000000006EA0000-0x0000000006F43000-memory.dmp

memory/3536-73-0x0000000070600000-0x000000007064C000-memory.dmp

memory/4884-85-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3536-86-0x00000000047F0000-0x0000000004800000-memory.dmp

memory/3536-87-0x00000000071D0000-0x00000000071E1000-memory.dmp

memory/3536-88-0x0000000007220000-0x0000000007234000-memory.dmp

memory/3536-91-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1244-93-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/1244-95-0x0000000004E60000-0x0000000004E70000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e9720063759b667f4c6aec70a6f61f27
SHA1 8a5216c68f5f6e28c1b0d4f66ff980ec7f744638
SHA256 e7dd5e70c9ce25107c480c27689ab237d477f489a580227b945984740ea5b05e
SHA512 9ed914b750b74da635ba60af70c5cfb3fe8f0d4bf18a8afb549c11c3214fcc13b6a22fca0e99a9828ba55003611d431c75d3d990a298d89d433693a70e24d17b

memory/1244-105-0x0000000005BE0000-0x0000000005F34000-memory.dmp

memory/1244-94-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/1244-109-0x0000000070DA0000-0x00000000710F4000-memory.dmp

memory/1244-120-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/1244-119-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/1244-108-0x0000000070600000-0x000000007064C000-memory.dmp

memory/1244-107-0x000000007EFF0000-0x000000007F000000-memory.dmp

memory/1244-122-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/3892-126-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3892-125-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/2516-124-0x0000000004E30000-0x0000000005236000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad5123924c49cbba06b83adf8cfe2076
SHA1 a34eb4dac442b99de141fbe7baa8b815913d17de
SHA256 f1f9cbb177fb51287813ba3f9852c13ea26cf6fdfa37609d9c993b9b7e44d220
SHA512 319f4c7522513cd9be7850527670134a511437b986f4ba9c7673adfdbc87406ad6f44fa77ea6770df5d147859541383cba16be3afa02f98a8d8bf73fd7e127ac

memory/3892-123-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a00d1477523f7e89af556f3bab439d45
SHA1 ed6032277700addaf11e7e8f7e18aa9279c4bdb6
SHA256 4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
SHA512 e2e5bebe16c6162db1c474c34a1e116618dce43a08e1c21fedd4f07ce020215e14fad0de4aa46f8033ce6c81bcf1c783d324fc2ae52e483ea446a113a5c607ac

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d35f4ace5451ad7da7177a4d0ee57e88
SHA1 ad3267a24fc05e5e1dfa2f9b8f0ad4640ee21ac5
SHA256 658f90ffe7b762032911dac61b3d99d8dfe9252451baabc739ea0f1e7765dd25
SHA512 cf2ff620b9c34d84aeee30a15172dec226091eeb996868da0c322dcf8d3c6212fd90e71184ac13b0761e251557a58a8d0f15fc9c1f38c38678712e81c5bd5ca3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 60b1ae0ce24612586fc71ac34ed7a1be
SHA1 c01600bde3c8e0268394d2721040a3942bb54f2c
SHA256 b7cfe1f805b865d380b3174c8e1a12e052d26aae4a53cc0f6c558f8abd0bbe9f
SHA512 5f9a1d5bd15be2d26a13ddea8633d2eacd15aeb0a394f85ee220288f504d4a71e1116e778622ced7da38687eb13370d39f197afa05725cc013f8caba8e91986b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 862cd745e1237ea6ce3f6cfd869baeee
SHA1 687907a5e87a0dff5fc4bb85d03abb3a8b076f1f
SHA256 c3c88c43bbe8c54d6835b5780d42d3a29e09872a41a5a13f5031ba5559b06f7c
SHA512 0ede04aca17f3ae0d1328eb9b920d72a0292a908cb9e20729e8363cb83de773a22d21c45ef6de46e5a80238e211375826afc39edff0162ad1747da30c3dbe0b5

memory/2516-232-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/844-256-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3676-264-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/844-267-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4736-269-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/844-271-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-275-0x0000000000400000-0x0000000003118000-memory.dmp

memory/4736-277-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/844-279-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-283-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-287-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-291-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-295-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-299-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-303-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-307-0x0000000000400000-0x0000000003118000-memory.dmp

memory/844-311-0x0000000000400000-0x0000000003118000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 20:03

Reported

2024-04-17 20:06

Platform

win11-20240412-en

Max time kernel

1s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe

"C:\Users\Admin\AppData\Local\Temp\4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fc022718-735f-4a2e-aa32-c1628c3e4085.uuid.statsexplorer.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 52.111.227.13:443 tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp

Files

memory/3684-1-0x0000000004F60000-0x0000000005359000-memory.dmp

memory/3684-2-0x0000000005360000-0x0000000005C4B000-memory.dmp

memory/3684-3-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1424-4-0x0000000003270000-0x00000000032A6000-memory.dmp

memory/1424-6-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/1424-8-0x0000000005930000-0x0000000005F5A000-memory.dmp

memory/1424-7-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/1424-5-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/1424-10-0x0000000006060000-0x00000000060C6000-memory.dmp

memory/1424-9-0x0000000005840000-0x0000000005862000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtohyfgy.euc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1424-11-0x00000000060D0000-0x0000000006136000-memory.dmp

memory/1424-20-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/1424-21-0x0000000006700000-0x000000000671E000-memory.dmp

memory/1424-22-0x0000000006720000-0x000000000676C000-memory.dmp

memory/1424-23-0x0000000006CD0000-0x0000000006D16000-memory.dmp

memory/1424-24-0x0000000007B30000-0x0000000007B64000-memory.dmp

memory/1424-37-0x0000000007B90000-0x0000000007C34000-memory.dmp

memory/1424-38-0x00000000031F0000-0x0000000003200000-memory.dmp

memory/1424-36-0x0000000007B70000-0x0000000007B8E000-memory.dmp

memory/1424-27-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/1424-26-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/1424-25-0x000000007EF60000-0x000000007EF70000-memory.dmp

memory/1424-39-0x0000000008300000-0x000000000897A000-memory.dmp

memory/1424-40-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

memory/1424-41-0x0000000007D00000-0x0000000007D0A000-memory.dmp

memory/1424-42-0x0000000007E10000-0x0000000007EA6000-memory.dmp

memory/1424-43-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/1424-44-0x0000000007D70000-0x0000000007D7E000-memory.dmp

memory/1424-46-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

memory/1424-45-0x0000000007D80000-0x0000000007D95000-memory.dmp

memory/1424-47-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

memory/1424-50-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/1388-52-0x0000000004E20000-0x0000000005220000-memory.dmp

memory/1388-53-0x0000000005220000-0x0000000005B0B000-memory.dmp

memory/3876-62-0x0000000005500000-0x0000000005857000-memory.dmp

memory/1388-63-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3684-66-0x0000000004F60000-0x0000000005359000-memory.dmp

memory/3876-65-0x0000000004640000-0x0000000004650000-memory.dmp

memory/3876-64-0x0000000004640000-0x0000000004650000-memory.dmp

memory/3876-67-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/3876-69-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/3876-68-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/3876-78-0x0000000006C10000-0x0000000006CB4000-memory.dmp

memory/3876-80-0x0000000004640000-0x0000000004650000-memory.dmp

memory/3876-79-0x0000000004640000-0x0000000004650000-memory.dmp

memory/3876-81-0x0000000006F50000-0x0000000006F61000-memory.dmp

memory/3876-82-0x0000000006FA0000-0x0000000006FB5000-memory.dmp

memory/3876-85-0x00000000747D0000-0x0000000074F81000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2916-97-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/2916-98-0x0000000004950000-0x0000000004960000-memory.dmp

memory/2916-99-0x0000000004950000-0x0000000004960000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4e034cdabc474f7471e5d5299bbfbc18
SHA1 1fba543c70e3baa566a74ceeebad40f62be55c14
SHA256 defdcc1587d871ac05dde0aedd80b78db9046b49731e96cbe3bacd42a7b2aec2
SHA512 7af3e2559147dc95fb7f727a5106f388c1676472f6536d6845767b9577f6a8e1f9ac4053e6b83af60757777b7ee66169bfa75df5fd5113ac3eccfef482cae644

memory/3684-95-0x0000000000400000-0x0000000003118000-memory.dmp

memory/2916-111-0x0000000004950000-0x0000000004960000-memory.dmp

memory/2916-102-0x0000000070BC0000-0x0000000070F17000-memory.dmp

memory/2916-100-0x000000007F9F0000-0x000000007FA00000-memory.dmp

memory/2916-101-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/4032-115-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/4032-114-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/4032-116-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1388-122-0x0000000004E20000-0x0000000005220000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3b66491107caeea545185c17a29c1a2b
SHA1 25c0d2ba19a5a8a5484142c73bfea451296e56d1
SHA256 d60d115752969dde146156f527519f32003e3915dcf923c63fb2c052de93d61b
SHA512 41ddfd3953e264b2de12e9cbdd43afa6d213efb8fa942e78c9ccb6b9b0e66f996f707cbc9bf2db4b5e557e72ed3ced5cf55487975a6f1a6cfe6fd5fc579d06b1

memory/2916-113-0x00000000747D0000-0x0000000074F81000-memory.dmp

memory/4032-128-0x0000000070A40000-0x0000000070A8C000-memory.dmp

memory/4032-129-0x0000000070C90000-0x0000000070FE7000-memory.dmp

memory/1388-138-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a00d1477523f7e89af556f3bab439d45
SHA1 ed6032277700addaf11e7e8f7e18aa9279c4bdb6
SHA256 4c514b7385b3ab5b9424d42fea18f7f6732db46fc551075dd1f5f79c9da929a6
SHA512 e2e5bebe16c6162db1c474c34a1e116618dce43a08e1c21fedd4f07ce020215e14fad0de4aa46f8033ce6c81bcf1c783d324fc2ae52e483ea446a113a5c607ac

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2bfb58586e5c0cec07883f535e4e2d0e
SHA1 f47842e2d737f07abdb287bb12c50610ad5f32fd
SHA256 2ff91a331b2ee3b883f9a0c006afbc680e2ac2fa7ba8bd905876ab748cd9bb2e
SHA512 22fe379f4fad4d55488fd8cb2dc6274b5d13adcea8116b873eb9ef9f92a3d49ee9a90feab7a2ebba22d99a005bbcfdee3a19d2deaaead98191603a2b0c87782a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0df5620fcc371c081583f4249b672231
SHA1 d63a6adc66d391bad408e7f2612dae9aaf32a13a
SHA256 5cc2903605f3009c9e31cfc4c24dbe8382ae7985cba5da84f7eb53dfa03ec550
SHA512 0d684c76d426ca7257a948815ee771ef34f5d088d5615a64bf4dc3b365981f790fd0962120f3a9a0638d3d1107611892905ad22c046a069e2edeae4ef7df89db

memory/1388-190-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cb86db57c1741ef32d2c3705110424ee
SHA1 829919af54674b06abff6b3979662ab8e4755765
SHA256 025d855265b5646f3149a751ece932688b028fc6fa3745d088936a33158c7726
SHA512 d363d0905763116c579ebd0c7b21a784ca7153117502c015795383585b418cef44b332dbdf84f71f81585f32a04984f769cd8d43482e2bf0445adf5bed869da9

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/708-242-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/228-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/708-252-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3884-254-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/708-256-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-260-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3884-262-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/708-264-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-268-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-272-0x0000000000400000-0x0000000003118000-memory.dmp

memory/3884-274-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/708-276-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-280-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-284-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-288-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-292-0x0000000000400000-0x0000000003118000-memory.dmp

memory/708-296-0x0000000000400000-0x0000000003118000-memory.dmp