Malware Analysis Report

2025-01-02 06:36

Sample ID 240515-3pvhzsad95
Target 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e
SHA256 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e
Tags
glupteba dropper evasion execution loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e

Threat Level: Known bad

The file 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:41

Reported

2024-05-15 23:44

Platform

win10v2004-20240426-en

Max time kernel

18s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 200.83.221.88.in-addr.arpa udp
BE 88.221.83.200:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 4b907ae9-bf96-4c8a-9bca-e8db9a6cf551.uuid.dumppage.org udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server12.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun3.l.google.com udp
BG 185.82.216.111:443 server12.dumppage.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BG 185.82.216.111:443 server12.dumppage.org tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BG 185.82.216.111:443 server12.dumppage.org tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3560-1-0x0000000004800000-0x0000000004BFC000-memory.dmp

memory/3560-2-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/3560-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/364-4-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

memory/364-5-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/364-6-0x0000000005890000-0x0000000005EB8000-memory.dmp

memory/364-7-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/364-8-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/364-9-0x00000000056A0000-0x00000000056C2000-memory.dmp

memory/364-11-0x0000000005F30000-0x0000000005F96000-memory.dmp

memory/364-10-0x00000000057C0000-0x0000000005826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmeddwc0.c4l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/364-17-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/364-22-0x0000000006560000-0x000000000657E000-memory.dmp

memory/364-23-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/364-24-0x0000000006AA0000-0x0000000006AE4000-memory.dmp

memory/364-25-0x0000000007880000-0x00000000078F6000-memory.dmp

memory/364-27-0x0000000007920000-0x000000000793A000-memory.dmp

memory/364-26-0x0000000007F80000-0x00000000085FA000-memory.dmp

memory/364-29-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

memory/364-28-0x0000000007AE0000-0x0000000007B12000-memory.dmp

memory/364-41-0x0000000007B20000-0x0000000007B3E000-memory.dmp

memory/364-42-0x0000000007B40000-0x0000000007BE3000-memory.dmp

memory/364-30-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/364-44-0x0000000007C30000-0x0000000007C3A000-memory.dmp

memory/364-43-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/364-31-0x00000000714F0000-0x0000000071844000-memory.dmp

memory/364-45-0x0000000007CF0000-0x0000000007D86000-memory.dmp

memory/364-46-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/364-47-0x0000000007C90000-0x0000000007C9E000-memory.dmp

memory/364-48-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

memory/364-49-0x0000000007D90000-0x0000000007DAA000-memory.dmp

memory/364-50-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

memory/364-53-0x0000000074F50000-0x0000000075700000-memory.dmp

memory/3560-56-0x0000000004C00000-0x00000000054EB000-memory.dmp

memory/3560-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3560-54-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4544-67-0x00000000065E0000-0x0000000006934000-memory.dmp

memory/4544-68-0x0000000006A20000-0x0000000006A6C000-memory.dmp

memory/4544-80-0x0000000007BB0000-0x0000000007C53000-memory.dmp

memory/4544-70-0x0000000071070000-0x00000000713C4000-memory.dmp

memory/4544-69-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

memory/4544-81-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

memory/4544-82-0x0000000007F30000-0x0000000007F44000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4992-95-0x0000000005B80000-0x0000000005ED4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1105e15715eef3ada188a151b5d9b5a
SHA1 013572fb6921a952097ee7b200ce9b1cc249cbfe
SHA256 3dda8ddd13bde2bba28642048633263172b90b5d492ab4c71412fe58d888bcdb
SHA512 6cb5772359b1aaa3b0bebeeef1c608175e5b5a5329173bf78030b87a7b57bad2edf362f45155ec87d3177681fa050b36301654112984ea695d7b9ae06c63227f

memory/4992-98-0x0000000071670000-0x00000000719C4000-memory.dmp

memory/4992-97-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

memory/4568-118-0x0000000005640000-0x0000000005994000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0cac594c71fd7a7be1d5e7025c7948d6
SHA1 b799843dc5fb966087f282c922f63d8502da3e33
SHA256 fcfafd96e6e0d2bf1dcf7dffeee393d627c9c7f358142698513fcad42da7ed05
SHA512 577677f2ed354d9a46f644340bc41559edfb19fd2858adeb7577455b3202b8c257446d9de26c0409432c0731518c7cdd1df54aa03e403db3ca994c30ccceecc8

memory/4568-121-0x0000000071300000-0x0000000071654000-memory.dmp

memory/4568-120-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 37dd4d82523bbfb21204e7f533525b6f
SHA1 ee3e26ea8f51d5030ed5c8eb4bc5c55a084082d3
SHA256 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e
SHA512 6f6717ad6eed49d06eac3c90e4246f756f1cac7a4fba9f01bad477912b7496e5e146cd182b9ed8084f51e4cafd56ff117842aa92b2398977178688ca1ccc6b50

memory/2012-135-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/364-147-0x0000000006180000-0x00000000064D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bbcebbfca78c1bc2c1c02a176b37a251
SHA1 f7cb8934581ad0ab5c639653ef1374651d47d24e
SHA256 de8e7abed553ba8ba56904065e5fc1073d96e8e782d8855e24c17ab140945aee
SHA512 5e69b9272728d4c5bc00a1cb1cea490727c63f1b147a714a433c57a67fd4b53a34b72c08d44ab479969b0cc6cc2c6a7f78bd8ceadcca2938ecd4e0a14c3b6a27

memory/364-149-0x0000000006E60000-0x0000000006EAC000-memory.dmp

memory/364-161-0x0000000007B70000-0x0000000007C13000-memory.dmp

memory/364-151-0x0000000071610000-0x0000000071964000-memory.dmp

memory/364-150-0x0000000070E50000-0x0000000070E9C000-memory.dmp

memory/364-162-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/364-163-0x0000000006690000-0x00000000066A4000-memory.dmp

memory/1676-174-0x0000000005650000-0x00000000059A4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 851851ae444b9c3fb26f8959d462c4c6
SHA1 11e1b09b0c18a5daea0c40e535710f9458448a19
SHA256 0a6d1e5cbccef898a257f4d92218e33fb10554829393f3fddaffcede4f5476d5
SHA512 f5da3a25e141ed0918904e85f36dadb2628baa5d3785758ce59a27fe88d05d2ff36bb99d844f74bfacb16a713c4aaf8c23d525ea0053dba418207676ae8a8ba4

memory/1676-176-0x0000000006030000-0x000000000607C000-memory.dmp

memory/1676-178-0x0000000070EF0000-0x0000000071244000-memory.dmp

memory/1676-188-0x0000000006D20000-0x0000000006DC3000-memory.dmp

memory/1676-177-0x0000000070D70000-0x0000000070DBC000-memory.dmp

memory/1676-189-0x0000000007020000-0x0000000007031000-memory.dmp

memory/1676-190-0x00000000055A0000-0x00000000055B4000-memory.dmp

memory/4048-201-0x0000000005900000-0x0000000005C54000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3be9144d4cd515075c9087c316ca6a96
SHA1 6180b9d0c2113c9543dc1d4878084294ea5f3d89
SHA256 bd6a6deebc3fc207161ef76ee853157af42cb66b1874311aad6f0a04d8bd033c
SHA512 2d0b7345531edc0e15ad72d2ff1a7c4afdbe6030901a01dddce9aa9e00378fec764b139267d4f3ae92f31704c8e7645b396a05019213bcf18e57438c7a9e5c5b

memory/4048-204-0x0000000071170000-0x00000000714C4000-memory.dmp

memory/4048-203-0x0000000070D70000-0x0000000070DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1448-215-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4796-229-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1928-228-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4796-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-230-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1928-232-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-231-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-233-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1928-235-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1448-236-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-239-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-241-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-244-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-246-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-247-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1448-249-0x0000000000400000-0x0000000002B0B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:41

Reported

2024-05-15 23:44

Platform

win11-20240426-en

Max time kernel

8s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe

"C:\Users\Admin\AppData\Local\Temp\2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6ec865f7-730b-4733-90d9-8a2637382f3e.uuid.dumppage.org udp
US 8.8.8.8:53 server1.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.111:443 server1.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server1.dumppage.org tcp
BG 185.82.216.111:443 server1.dumppage.org tcp

Files

memory/1372-1-0x0000000004830000-0x0000000004C36000-memory.dmp

memory/1372-2-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/1372-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4428-4-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

memory/4428-5-0x0000000002620000-0x0000000002656000-memory.dmp

memory/4428-7-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/4428-6-0x0000000004F30000-0x000000000555A000-memory.dmp

memory/4428-8-0x0000000004C30000-0x0000000004C52000-memory.dmp

memory/4428-9-0x0000000004D90000-0x0000000004DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlo3jvj4.bud.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4428-10-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/4428-16-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/4428-20-0x00000000056C0000-0x0000000005A17000-memory.dmp

memory/4428-21-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

memory/4428-22-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/4428-23-0x0000000006040000-0x0000000006086000-memory.dmp

memory/4428-24-0x0000000006EF0000-0x0000000006F24000-memory.dmp

memory/4428-26-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/4428-27-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/4428-25-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/4428-37-0x0000000006F50000-0x0000000006FF4000-memory.dmp

memory/4428-36-0x0000000006F30000-0x0000000006F4E000-memory.dmp

memory/4428-38-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/4428-39-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/4428-40-0x0000000007080000-0x000000000709A000-memory.dmp

memory/4428-41-0x00000000070C0000-0x00000000070CA000-memory.dmp

memory/4428-42-0x00000000071D0000-0x0000000007266000-memory.dmp

memory/4428-43-0x00000000070E0000-0x00000000070F1000-memory.dmp

memory/4428-44-0x0000000007130000-0x000000000713E000-memory.dmp

memory/4428-45-0x0000000007140000-0x0000000007155000-memory.dmp

memory/4428-46-0x0000000007190000-0x00000000071AA000-memory.dmp

memory/4428-47-0x00000000071B0000-0x00000000071B8000-memory.dmp

memory/4428-50-0x0000000074B50000-0x0000000075301000-memory.dmp

memory/1372-52-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/1372-61-0x0000000004830000-0x0000000004C36000-memory.dmp

memory/1372-62-0x0000000004C40000-0x000000000552B000-memory.dmp

memory/2496-63-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/2496-73-0x00000000076C0000-0x0000000007764000-memory.dmp

memory/2496-64-0x0000000070F40000-0x0000000071297000-memory.dmp

memory/2496-74-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/2496-75-0x0000000007A40000-0x0000000007A55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

memory/2056-87-0x0000000005B30000-0x0000000005E87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cd8ed0cb63c707660b16b97289b56f7f
SHA1 6dfdf5197ae643e388eb8922926be2d93c47aa8c
SHA256 26a7d316f0e89cb36e2e9ba8cb91b800c5075743f59108616066bc48aef1c671
SHA512 3c45cfe14cf2ea080c9c0118ebdff613f33b7bdb9748339385b116f23e6f34d57b77ea6c8cbaecea05ee476cf1b8045fe1bcda812bfc6d69d4a6e10245b83683

memory/2056-89-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/2056-90-0x0000000070FF0000-0x0000000071347000-memory.dmp

memory/2780-108-0x0000000005820000-0x0000000005B77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c37cb92d23d77e684d4cb86bcc405c70
SHA1 c0dfb4734af42c665fbf120a4f4af347eb8d8669
SHA256 5df6a5e55b25ab668fde4010a590c62e98853d4b25f847da2c404e8886d89465
SHA512 dd663fb777f4a563f41866761381f1dce0ab73be948e587df870c7cf83dc5ad3ef89f7b1750918b67f2092c2161d64fbb4b58bee4de3371638655662ac3400d9

memory/2780-110-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/2780-111-0x0000000070FD0000-0x0000000071327000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 37dd4d82523bbfb21204e7f533525b6f
SHA1 ee3e26ea8f51d5030ed5c8eb4bc5c55a084082d3
SHA256 2c6e62770834e929f41dc8ebc5af550cb43991f5665e3f08342d7a39ff9eaa8e
SHA512 6f6717ad6eed49d06eac3c90e4246f756f1cac7a4fba9f01bad477912b7496e5e146cd182b9ed8084f51e4cafd56ff117842aa92b2398977178688ca1ccc6b50

memory/1372-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2856-124-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b030f02698257f47086e6c290fa7b2c2
SHA1 f21948b4ba8fbcf9dfb9abbceaf0c50e2979d6ec
SHA256 2650565dcee17a6513ef92a138d0096f575c7c8c6a9b1187b8543e4d423f65aa
SHA512 f4398251070e4478fcff1e05682aca580b64230496ecbfc814650050a9a60a83ef4b7d7a446ccf1a02540b783ac0b8d19abdddc7b368b3626c79a86ead8edea6

memory/3476-137-0x0000000005AE0000-0x0000000005E37000-memory.dmp

memory/3476-139-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

memory/3476-140-0x0000000071700000-0x0000000071A57000-memory.dmp

memory/4116-150-0x0000000005830000-0x0000000005B87000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 04b954d32a4318ec7c472a724363d40f
SHA1 bc134de2840c67986467e3f749c589e32a4558b8
SHA256 58e066f18ce25f828c1198db64214aec691efbfb80bd5667df9d34bbefe17973
SHA512 cce9ffbd82d0e6f8c4e29d2a44b29ead9694537e3c5fe30cbf937110c689de282cd13a06e3b0681204018649252801d2c28f9056576e0a5d283e92790d9e141c

memory/4116-160-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/4116-161-0x0000000070CE0000-0x0000000070D2C000-memory.dmp

memory/4116-162-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/4116-171-0x0000000007060000-0x0000000007104000-memory.dmp

memory/4116-172-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/4116-173-0x0000000005C10000-0x0000000005C25000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d20239e9f029557bbe0c22d5dcc03c64
SHA1 ea29013794f0c9ecccb910bfd7cac7d3e77aa50b
SHA256 5042e2393f400f2275e18b9c5058f006d41bda2a8481ba8f5c18ac23799602b3
SHA512 9e795000e0a959c67c86733f90f5840a4236a676ed214b9c659037dc6e247472603d733d5a9f70facc441c74c3fb72f7768d5b33005cd3665e79120df33f4075

memory/3164-184-0x0000000070CE0000-0x0000000070D2C000-memory.dmp

memory/3164-185-0x0000000070F30000-0x0000000071287000-memory.dmp

memory/4896-195-0x0000000000400000-0x0000000002B0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1516-207-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4220-211-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1516-210-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-212-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4220-215-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-214-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-217-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4220-221-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-220-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-223-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-226-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4220-230-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4896-229-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-232-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-235-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-238-0x0000000000400000-0x0000000002B0B000-memory.dmp

memory/4896-241-0x0000000000400000-0x0000000002B0B000-memory.dmp