Malware Analysis Report

2024-11-13 19:43

Sample ID 240517-lvabkacg89
Target f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15
SHA256 f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15
Tags
glupteba dropper evasion execution loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15

Threat Level: Known bad

The file f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion execution loader upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 09:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 09:50

Reported

2024-05-17 09:53

Platform

win10v2004-20240426-en

Max time kernel

8s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cae5dfda-5ca0-445b-ad34-4b38c0f1998d.uuid.dumppage.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server10.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server10.dumppage.org tcp
US 74.125.250.129:19302 stun1.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
BG 185.82.216.111:443 server10.dumppage.org tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BG 185.82.216.111:443 server10.dumppage.org tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4564-1-0x0000000004780000-0x0000000004B84000-memory.dmp

memory/4564-2-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/4564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4936-4-0x000000007403E000-0x000000007403F000-memory.dmp

memory/4936-5-0x00000000026E0000-0x0000000002716000-memory.dmp

memory/4936-6-0x0000000004FF0000-0x0000000005618000-memory.dmp

memory/4936-8-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4936-7-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4936-9-0x0000000004E20000-0x0000000004E42000-memory.dmp

memory/4936-10-0x0000000004EC0000-0x0000000004F26000-memory.dmp

memory/4936-11-0x0000000004F30000-0x0000000004F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2onuxt2.wod.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-21-0x00000000057D0000-0x0000000005B24000-memory.dmp

memory/4936-22-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

memory/4936-23-0x0000000005D10000-0x0000000005D5C000-memory.dmp

memory/4936-24-0x0000000006DE0000-0x0000000006E24000-memory.dmp

memory/4936-25-0x0000000006F70000-0x0000000006FE6000-memory.dmp

memory/4936-27-0x0000000007090000-0x00000000070AA000-memory.dmp

memory/4936-26-0x00000000076E0000-0x0000000007D5A000-memory.dmp

memory/4936-30-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/4936-31-0x0000000070050000-0x00000000703A4000-memory.dmp

memory/4936-42-0x00000000072B0000-0x0000000007353000-memory.dmp

memory/4936-43-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4936-41-0x0000000007290000-0x00000000072AE000-memory.dmp

memory/4936-29-0x0000000007250000-0x0000000007282000-memory.dmp

memory/4936-44-0x00000000073A0000-0x00000000073AA000-memory.dmp

memory/4564-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4936-45-0x0000000007460000-0x00000000074F6000-memory.dmp

memory/4936-46-0x00000000073C0000-0x00000000073D1000-memory.dmp

memory/4936-48-0x0000000007410000-0x0000000007424000-memory.dmp

memory/4936-50-0x0000000007450000-0x0000000007458000-memory.dmp

memory/4936-49-0x0000000007500000-0x000000000751A000-memory.dmp

memory/4936-47-0x0000000007400000-0x000000000740E000-memory.dmp

memory/4936-53-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/4564-64-0x0000000004780000-0x0000000004B84000-memory.dmp

memory/4564-65-0x0000000004B90000-0x000000000547B000-memory.dmp

memory/2672-67-0x0000000070050000-0x00000000703A4000-memory.dmp

memory/2672-66-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/2672-77-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/2672-78-0x00000000071E0000-0x00000000071F1000-memory.dmp

memory/2672-79-0x0000000007230000-0x0000000007244000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4264-88-0x0000000005950000-0x0000000005CA4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b32825e0e4aae64d983d9483c2d572b8
SHA1 7f72816688dd7219fb39bc6285f984ffb0c42f01
SHA256 3f9d5554be153d222b89b7822d9235cc9e16747eb7b57dd138e8465433034c30
SHA512 2fde9a99433ce38fc4b7d47c3b325d3106c249984af02d92613e3dc078d564b589b34cc9ee70cb107bdae7194c6ac4b96e2ec3bcaeca99d799ce7d6b62fda490

memory/4564-94-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4264-96-0x0000000070670000-0x00000000709C4000-memory.dmp

memory/4264-95-0x000000006FED0000-0x000000006FF1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61b4b3cb8c3857129e280411f8c1473d
SHA1 82bf696623e92934638333a9d14a86253c83d71b
SHA256 eeb509f85f34bf62e375dfb854459a78ce2d13cd740211d79fe5ce140f7d79c6
SHA512 7659d3f8559d628b595b973066db029b305c689e4033e8b2c57ddc3e8a1f887b5764a16b66071f92adc1d4fd4cc35608057396c9545dd8c74368133762623803

memory/3620-117-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/3620-118-0x0000000070050000-0x00000000703A4000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 854e377b443dbd7d292f6f9e20040151
SHA1 edd79addfa67fbbb0f585d157404f256e192aa43
SHA256 f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15
SHA512 a02d803d271775ed22cf3cbc47a1043e7ffd969ff7865f9a5d0fadd942c7a3a87cd720d4eb3cd2b07efcc62bbade342b967db526508aede6749d2f226c3a8e8e

memory/4564-135-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4108-134-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d88c3cbf40207065e7c679f815f249d0
SHA1 7226294575f1c8f9812fe73a44a5ffa060947ccd
SHA256 468b74efedd9e44d8567bac6cca41355380076b1977a1650c40e3cf79dbcfab0
SHA512 fc21e5265ad5d1c20eda071abadd8f1c7706261364356b76db361cabf836d0e4b06e091d34b21c09401ec6ab087273790bcb70e4cb8e11cb772e61d5b3690b62

memory/3520-147-0x0000000070050000-0x00000000703A4000-memory.dmp

memory/3520-146-0x000000006FED0000-0x000000006FF1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6ac4fb5e9ec8a7286b4593831e20e95b
SHA1 7ef93e268d50eebfc5ee69b02df9b541ef411d7e
SHA256 d91ed000387820a96196c3ff1ff47a6b67f48b4ca33b5322f7901fb64255e120
SHA512 5c2fd286b49f69d44bfe47d03347d79c954576823a481e68c2238b8cac6c8db15db788519a6eafd5c4156582eaf6a644a28aaf739fc2bfba70aebc985699075c

memory/1588-167-0x00000000062B0000-0x0000000006604000-memory.dmp

memory/1588-169-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/1588-171-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/1588-182-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/1588-172-0x000000006FF70000-0x00000000702C4000-memory.dmp

memory/1588-183-0x0000000007C90000-0x0000000007CA1000-memory.dmp

memory/1588-184-0x0000000005980000-0x0000000005994000-memory.dmp

memory/4408-191-0x0000000005760000-0x0000000005AB4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02a241ac3863e3e562a5a086043159cd
SHA1 cfd6bd75031685966db017dc1b7d036c552f5fc1
SHA256 469e7965f25a4b1a78267abb46636c1e54aab9208ce71d70630738101690290b
SHA512 ca3557381fb1a59ff7f561e764a7ae694f87b396f348e16d2c38b33c303b2871266f3f16e46d8f62600e66a3496da22951b8e9cf5c16f37407494cb13df3fee6

memory/4408-198-0x00000000705B0000-0x0000000070904000-memory.dmp

memory/4408-197-0x000000006FDF0000-0x000000006FE3C000-memory.dmp

memory/4588-210-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4928-221-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4928-226-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4996-225-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4996-231-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-234-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4996-239-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4588-238-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-254-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-258-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-263-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/4588-266-0x0000000000400000-0x0000000002B0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 09:50

Reported

2024-05-17 09:53

Platform

win11-20240426-en

Max time kernel

5s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe

"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a5e3eb2a-26b5-4518-af6b-83780249a011.uuid.dumppage.org udp
US 8.8.8.8:53 server9.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.111:443 server9.dumppage.org tcp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.111:443 server9.dumppage.org tcp
BG 185.82.216.111:443 server9.dumppage.org tcp

Files

memory/3408-1-0x0000000004890000-0x0000000004C8D000-memory.dmp

memory/3408-2-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/3408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1900-4-0x00000000741CE000-0x00000000741CF000-memory.dmp

memory/1900-5-0x0000000002850000-0x0000000002886000-memory.dmp

memory/1900-7-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/1900-6-0x0000000005540000-0x0000000005B6A000-memory.dmp

memory/1900-8-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/1900-9-0x00000000051A0000-0x00000000051C2000-memory.dmp

memory/1900-11-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/1900-10-0x0000000005240000-0x00000000052A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xo0djier.ftq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1900-20-0x0000000005C70000-0x0000000005FC7000-memory.dmp

memory/1900-21-0x0000000006060000-0x000000000607E000-memory.dmp

memory/1900-22-0x00000000060A0000-0x00000000060EC000-memory.dmp

memory/1900-23-0x00000000065E0000-0x0000000006626000-memory.dmp

memory/1900-24-0x0000000007470000-0x00000000074A4000-memory.dmp

memory/1900-37-0x00000000074D0000-0x0000000007574000-memory.dmp

memory/1900-36-0x00000000074B0000-0x00000000074CE000-memory.dmp

memory/1900-38-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/1900-27-0x00000000705C0000-0x0000000070917000-memory.dmp

memory/1900-40-0x0000000007600000-0x000000000761A000-memory.dmp

memory/1900-41-0x0000000007640000-0x000000000764A000-memory.dmp

memory/1900-39-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/1900-26-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/1900-25-0x0000000070430000-0x000000007047C000-memory.dmp

memory/1900-42-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/1900-43-0x0000000007660000-0x0000000007671000-memory.dmp

memory/1900-44-0x00000000076B0000-0x00000000076BE000-memory.dmp

memory/1900-45-0x00000000076C0000-0x00000000076D5000-memory.dmp

memory/1900-46-0x0000000007710000-0x000000000772A000-memory.dmp

memory/1900-47-0x0000000007730000-0x0000000007738000-memory.dmp

memory/1900-50-0x00000000741C0000-0x0000000074971000-memory.dmp

memory/3408-53-0x0000000004890000-0x0000000004C8D000-memory.dmp

memory/3408-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1948-59-0x0000000006380000-0x00000000066D7000-memory.dmp

memory/3408-63-0x0000000004C90000-0x000000000557B000-memory.dmp

memory/1948-74-0x0000000007AB0000-0x0000000007B54000-memory.dmp

memory/1948-65-0x0000000070680000-0x00000000709D7000-memory.dmp

memory/1948-64-0x0000000070430000-0x000000007047C000-memory.dmp

memory/1948-75-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/1948-76-0x0000000007E40000-0x0000000007E55000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2256-80-0x0000000005810000-0x0000000005B67000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 afeae12950089d0b5ed59fa1556af35f
SHA1 b1c546eb1288213da721b9bdd50ef5197162845d
SHA256 4a7a6759699d727b1e7ec45b666b5155e587d978d3ed45727f602d9662779542
SHA512 8a35cdd0b5c19f4c2cd8a3e74f4aa0a726edf251d19f263f536d3af1789f4c0d7f8ecc415e79391ad26d5d62e594705f8c7d3f460d6112cdd1d5c9760bac3220

memory/2256-90-0x0000000070430000-0x000000007047C000-memory.dmp

memory/2256-91-0x00000000706A0000-0x00000000709F7000-memory.dmp

memory/3856-109-0x00000000062B0000-0x0000000006607000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 83b1efd62a9cd78797b45b662f00c9ae
SHA1 803c768c47e98714a931d5b56bc5658f9699bbff
SHA256 ac66f1b00a2626cc3e73b9ed7b79384ce400e4eb6c6ad02b1f200892f2952d9f
SHA512 6141d2f9d6dad1e424e001d9d4100c0c5829a4ef7987a633562c7ecc799607fbfb89160f61fc7988a8ad161ce180efc231c6145f6e4077162c51764733003255

memory/3856-112-0x00000000705B0000-0x0000000070907000-memory.dmp

memory/3856-111-0x0000000070430000-0x000000007047C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 854e377b443dbd7d292f6f9e20040151
SHA1 edd79addfa67fbbb0f585d157404f256e192aa43
SHA256 f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15
SHA512 a02d803d271775ed22cf3cbc47a1043e7ffd969ff7865f9a5d0fadd942c7a3a87cd720d4eb3cd2b07efcc62bbade342b967db526508aede6749d2f226c3a8e8e

memory/1020-121-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/3408-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dc5be680338fb45308305f88c9341f41
SHA1 fa90175ad909f71da8e9e5b702fc32546786e65b
SHA256 e67c8a763fa0d3a3b5fc2cf5551d0cea5511ef1b2f40e8fcaf3b0c07627d0a08
SHA512 cb0b7c8444f35fea6799544eef70b10dadc1b612739971d99a0bd210ab6dc4c438518a6d6dcac4733e6b812d21db9460f9429385745515d77428c412381040a3

memory/4036-138-0x0000000005BD0000-0x0000000005F27000-memory.dmp

memory/4036-141-0x00000000705D0000-0x0000000070927000-memory.dmp

memory/4036-140-0x0000000070430000-0x000000007047C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9b598f3e8a47090e65fd70b71f49a139
SHA1 9ec081e32ab383072bdb90dd21748893ad2c7668
SHA256 1be386d766aa3e4558244e3cf734d4d7822b6d06dfe65ece17bffab76adf392a
SHA512 b5673ff808c8538002ddcb6f9df99b6580901735463b2397145eea009eac094a0bf118770447de125041d5a35cebf646b719c51c4f2ee2394d9e82f3142c30e2

memory/4656-159-0x0000000005EA0000-0x00000000061F7000-memory.dmp

memory/4656-161-0x00000000066F0000-0x000000000673C000-memory.dmp

memory/4656-162-0x0000000070350000-0x000000007039C000-memory.dmp

memory/4656-163-0x00000000704D0000-0x0000000070827000-memory.dmp

memory/4656-172-0x0000000007540000-0x00000000075E4000-memory.dmp

memory/4656-173-0x0000000007870000-0x0000000007881000-memory.dmp

memory/4656-174-0x0000000005C90000-0x0000000005CA5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 10f777d63a1e98cb47f4f8272d1f4495
SHA1 2932bfaa055e03dd275274ffc60e8fd5e8278df6
SHA256 185325487390d7d9f7fe574702a698bbb4be16a791ecee94d617abbaa09b2e12
SHA512 e8bb6d3ce00bb52e92199a3cc6694098c26d7725c50c5e837c5e856bec5b208ce2076553961110a18d04207b9404401fea19fe2601d7b38416d3967f8d176f5f

memory/3048-181-0x0000000005E30000-0x0000000006187000-memory.dmp

memory/3048-187-0x00000000705A0000-0x00000000708F7000-memory.dmp

memory/3048-186-0x0000000070350000-0x000000007039C000-memory.dmp

memory/1020-196-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-197-0x0000000000400000-0x0000000002B0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/916-209-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/916-213-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/912-212-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1016-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/912-219-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1016-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-222-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/912-227-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1016-226-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/912-237-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1016-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-242-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-246-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

memory/1016-253-0x0000000000400000-0x0000000002B0D000-memory.dmp