Analysis Overview
SHA256
f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15
Threat Level: Known bad
The file f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Glupteba payload
Modifies Windows Firewall
UPX packed file
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 09:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 09:50
Reported
2024-05-17 09:53
Platform
win10v2004-20240426-en
Max time kernel
8s
Max time network
153s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe
"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe
"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.162:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.162:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cae5dfda-5ca0-445b-ad34-4b38c0f1998d.uuid.dumppage.org | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | server10.dumppage.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.111:443 | server10.dumppage.org | tcp |
| US | 74.125.250.129:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server10.dumppage.org | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BG | 185.82.216.111:443 | server10.dumppage.org | tcp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/4564-1-0x0000000004780000-0x0000000004B84000-memory.dmp
memory/4564-2-0x0000000004B90000-0x000000000547B000-memory.dmp
memory/4564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4936-4-0x000000007403E000-0x000000007403F000-memory.dmp
memory/4936-5-0x00000000026E0000-0x0000000002716000-memory.dmp
memory/4936-6-0x0000000004FF0000-0x0000000005618000-memory.dmp
memory/4936-8-0x0000000074030000-0x00000000747E0000-memory.dmp
memory/4936-7-0x0000000074030000-0x00000000747E0000-memory.dmp
memory/4936-9-0x0000000004E20000-0x0000000004E42000-memory.dmp
memory/4936-10-0x0000000004EC0000-0x0000000004F26000-memory.dmp
memory/4936-11-0x0000000004F30000-0x0000000004F96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2onuxt2.wod.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4936-21-0x00000000057D0000-0x0000000005B24000-memory.dmp
memory/4936-22-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/4936-23-0x0000000005D10000-0x0000000005D5C000-memory.dmp
memory/4936-24-0x0000000006DE0000-0x0000000006E24000-memory.dmp
memory/4936-25-0x0000000006F70000-0x0000000006FE6000-memory.dmp
memory/4936-27-0x0000000007090000-0x00000000070AA000-memory.dmp
memory/4936-26-0x00000000076E0000-0x0000000007D5A000-memory.dmp
memory/4936-30-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/4936-31-0x0000000070050000-0x00000000703A4000-memory.dmp
memory/4936-42-0x00000000072B0000-0x0000000007353000-memory.dmp
memory/4936-43-0x0000000074030000-0x00000000747E0000-memory.dmp
memory/4936-41-0x0000000007290000-0x00000000072AE000-memory.dmp
memory/4936-29-0x0000000007250000-0x0000000007282000-memory.dmp
memory/4936-44-0x00000000073A0000-0x00000000073AA000-memory.dmp
memory/4564-28-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4936-45-0x0000000007460000-0x00000000074F6000-memory.dmp
memory/4936-46-0x00000000073C0000-0x00000000073D1000-memory.dmp
memory/4936-48-0x0000000007410000-0x0000000007424000-memory.dmp
memory/4936-50-0x0000000007450000-0x0000000007458000-memory.dmp
memory/4936-49-0x0000000007500000-0x000000000751A000-memory.dmp
memory/4936-47-0x0000000007400000-0x000000000740E000-memory.dmp
memory/4936-53-0x0000000074030000-0x00000000747E0000-memory.dmp
memory/4564-64-0x0000000004780000-0x0000000004B84000-memory.dmp
memory/4564-65-0x0000000004B90000-0x000000000547B000-memory.dmp
memory/2672-67-0x0000000070050000-0x00000000703A4000-memory.dmp
memory/2672-66-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/2672-77-0x0000000006ED0000-0x0000000006F73000-memory.dmp
memory/2672-78-0x00000000071E0000-0x00000000071F1000-memory.dmp
memory/2672-79-0x0000000007230000-0x0000000007244000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4264-88-0x0000000005950000-0x0000000005CA4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b32825e0e4aae64d983d9483c2d572b8 |
| SHA1 | 7f72816688dd7219fb39bc6285f984ffb0c42f01 |
| SHA256 | 3f9d5554be153d222b89b7822d9235cc9e16747eb7b57dd138e8465433034c30 |
| SHA512 | 2fde9a99433ce38fc4b7d47c3b325d3106c249984af02d92613e3dc078d564b589b34cc9ee70cb107bdae7194c6ac4b96e2ec3bcaeca99d799ce7d6b62fda490 |
memory/4564-94-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4264-96-0x0000000070670000-0x00000000709C4000-memory.dmp
memory/4264-95-0x000000006FED0000-0x000000006FF1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 61b4b3cb8c3857129e280411f8c1473d |
| SHA1 | 82bf696623e92934638333a9d14a86253c83d71b |
| SHA256 | eeb509f85f34bf62e375dfb854459a78ce2d13cd740211d79fe5ce140f7d79c6 |
| SHA512 | 7659d3f8559d628b595b973066db029b305c689e4033e8b2c57ddc3e8a1f887b5764a16b66071f92adc1d4fd4cc35608057396c9545dd8c74368133762623803 |
memory/3620-117-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/3620-118-0x0000000070050000-0x00000000703A4000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 854e377b443dbd7d292f6f9e20040151 |
| SHA1 | edd79addfa67fbbb0f585d157404f256e192aa43 |
| SHA256 | f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15 |
| SHA512 | a02d803d271775ed22cf3cbc47a1043e7ffd969ff7865f9a5d0fadd942c7a3a87cd720d4eb3cd2b07efcc62bbade342b967db526508aede6749d2f226c3a8e8e |
memory/4564-135-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4108-134-0x0000000000400000-0x0000000002B0D000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d88c3cbf40207065e7c679f815f249d0 |
| SHA1 | 7226294575f1c8f9812fe73a44a5ffa060947ccd |
| SHA256 | 468b74efedd9e44d8567bac6cca41355380076b1977a1650c40e3cf79dbcfab0 |
| SHA512 | fc21e5265ad5d1c20eda071abadd8f1c7706261364356b76db361cabf836d0e4b06e091d34b21c09401ec6ab087273790bcb70e4cb8e11cb772e61d5b3690b62 |
memory/3520-147-0x0000000070050000-0x00000000703A4000-memory.dmp
memory/3520-146-0x000000006FED0000-0x000000006FF1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6ac4fb5e9ec8a7286b4593831e20e95b |
| SHA1 | 7ef93e268d50eebfc5ee69b02df9b541ef411d7e |
| SHA256 | d91ed000387820a96196c3ff1ff47a6b67f48b4ca33b5322f7901fb64255e120 |
| SHA512 | 5c2fd286b49f69d44bfe47d03347d79c954576823a481e68c2238b8cac6c8db15db788519a6eafd5c4156582eaf6a644a28aaf739fc2bfba70aebc985699075c |
memory/1588-167-0x00000000062B0000-0x0000000006604000-memory.dmp
memory/1588-169-0x0000000006D10000-0x0000000006D5C000-memory.dmp
memory/1588-171-0x000000006FDF0000-0x000000006FE3C000-memory.dmp
memory/1588-182-0x0000000007980000-0x0000000007A23000-memory.dmp
memory/1588-172-0x000000006FF70000-0x00000000702C4000-memory.dmp
memory/1588-183-0x0000000007C90000-0x0000000007CA1000-memory.dmp
memory/1588-184-0x0000000005980000-0x0000000005994000-memory.dmp
memory/4408-191-0x0000000005760000-0x0000000005AB4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 02a241ac3863e3e562a5a086043159cd |
| SHA1 | cfd6bd75031685966db017dc1b7d036c552f5fc1 |
| SHA256 | 469e7965f25a4b1a78267abb46636c1e54aab9208ce71d70630738101690290b |
| SHA512 | ca3557381fb1a59ff7f561e764a7ae694f87b396f348e16d2c38b33c303b2871266f3f16e46d8f62600e66a3496da22951b8e9cf5c16f37407494cb13df3fee6 |
memory/4408-198-0x00000000705B0000-0x0000000070904000-memory.dmp
memory/4408-197-0x000000006FDF0000-0x000000006FE3C000-memory.dmp
memory/4588-210-0x0000000000400000-0x0000000002B0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4928-221-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/4928-226-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4996-225-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4588-227-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4996-231-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4588-230-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-234-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4996-239-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4588-238-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-243-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-246-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-250-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-254-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-258-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-263-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/4588-266-0x0000000000400000-0x0000000002B0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 09:50
Reported
2024-05-17 09:53
Platform
win11-20240426-en
Max time kernel
5s
Max time network
131s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe
"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe
"C:\Users\Admin\AppData\Local\Temp\f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a5e3eb2a-26b5-4518-af6b-83780249a011.uuid.dumppage.org | udp |
| US | 8.8.8.8:53 | server9.dumppage.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| BG | 185.82.216.111:443 | server9.dumppage.org | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.111:443 | server9.dumppage.org | tcp |
| BG | 185.82.216.111:443 | server9.dumppage.org | tcp |
Files
memory/3408-1-0x0000000004890000-0x0000000004C8D000-memory.dmp
memory/3408-2-0x0000000004C90000-0x000000000557B000-memory.dmp
memory/3408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1900-4-0x00000000741CE000-0x00000000741CF000-memory.dmp
memory/1900-5-0x0000000002850000-0x0000000002886000-memory.dmp
memory/1900-7-0x00000000741C0000-0x0000000074971000-memory.dmp
memory/1900-6-0x0000000005540000-0x0000000005B6A000-memory.dmp
memory/1900-8-0x00000000741C0000-0x0000000074971000-memory.dmp
memory/1900-9-0x00000000051A0000-0x00000000051C2000-memory.dmp
memory/1900-11-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/1900-10-0x0000000005240000-0x00000000052A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xo0djier.ftq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1900-20-0x0000000005C70000-0x0000000005FC7000-memory.dmp
memory/1900-21-0x0000000006060000-0x000000000607E000-memory.dmp
memory/1900-22-0x00000000060A0000-0x00000000060EC000-memory.dmp
memory/1900-23-0x00000000065E0000-0x0000000006626000-memory.dmp
memory/1900-24-0x0000000007470000-0x00000000074A4000-memory.dmp
memory/1900-37-0x00000000074D0000-0x0000000007574000-memory.dmp
memory/1900-36-0x00000000074B0000-0x00000000074CE000-memory.dmp
memory/1900-38-0x00000000741C0000-0x0000000074971000-memory.dmp
memory/1900-27-0x00000000705C0000-0x0000000070917000-memory.dmp
memory/1900-40-0x0000000007600000-0x000000000761A000-memory.dmp
memory/1900-41-0x0000000007640000-0x000000000764A000-memory.dmp
memory/1900-39-0x0000000007C40000-0x00000000082BA000-memory.dmp
memory/1900-26-0x00000000741C0000-0x0000000074971000-memory.dmp
memory/1900-25-0x0000000070430000-0x000000007047C000-memory.dmp
memory/1900-42-0x0000000007750000-0x00000000077E6000-memory.dmp
memory/1900-43-0x0000000007660000-0x0000000007671000-memory.dmp
memory/1900-44-0x00000000076B0000-0x00000000076BE000-memory.dmp
memory/1900-45-0x00000000076C0000-0x00000000076D5000-memory.dmp
memory/1900-46-0x0000000007710000-0x000000000772A000-memory.dmp
memory/1900-47-0x0000000007730000-0x0000000007738000-memory.dmp
memory/1900-50-0x00000000741C0000-0x0000000074971000-memory.dmp
memory/3408-53-0x0000000004890000-0x0000000004C8D000-memory.dmp
memory/3408-52-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1948-59-0x0000000006380000-0x00000000066D7000-memory.dmp
memory/3408-63-0x0000000004C90000-0x000000000557B000-memory.dmp
memory/1948-74-0x0000000007AB0000-0x0000000007B54000-memory.dmp
memory/1948-65-0x0000000070680000-0x00000000709D7000-memory.dmp
memory/1948-64-0x0000000070430000-0x000000007047C000-memory.dmp
memory/1948-75-0x0000000007DF0000-0x0000000007E01000-memory.dmp
memory/1948-76-0x0000000007E40000-0x0000000007E55000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
memory/2256-80-0x0000000005810000-0x0000000005B67000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | afeae12950089d0b5ed59fa1556af35f |
| SHA1 | b1c546eb1288213da721b9bdd50ef5197162845d |
| SHA256 | 4a7a6759699d727b1e7ec45b666b5155e587d978d3ed45727f602d9662779542 |
| SHA512 | 8a35cdd0b5c19f4c2cd8a3e74f4aa0a726edf251d19f263f536d3af1789f4c0d7f8ecc415e79391ad26d5d62e594705f8c7d3f460d6112cdd1d5c9760bac3220 |
memory/2256-90-0x0000000070430000-0x000000007047C000-memory.dmp
memory/2256-91-0x00000000706A0000-0x00000000709F7000-memory.dmp
memory/3856-109-0x00000000062B0000-0x0000000006607000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 83b1efd62a9cd78797b45b662f00c9ae |
| SHA1 | 803c768c47e98714a931d5b56bc5658f9699bbff |
| SHA256 | ac66f1b00a2626cc3e73b9ed7b79384ce400e4eb6c6ad02b1f200892f2952d9f |
| SHA512 | 6141d2f9d6dad1e424e001d9d4100c0c5829a4ef7987a633562c7ecc799607fbfb89160f61fc7988a8ad161ce180efc231c6145f6e4077162c51764733003255 |
memory/3856-112-0x00000000705B0000-0x0000000070907000-memory.dmp
memory/3856-111-0x0000000070430000-0x000000007047C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 854e377b443dbd7d292f6f9e20040151 |
| SHA1 | edd79addfa67fbbb0f585d157404f256e192aa43 |
| SHA256 | f734c13b47beec8f859f1f495679d2fcb7205df940146ad656905918db8a0a15 |
| SHA512 | a02d803d271775ed22cf3cbc47a1043e7ffd969ff7865f9a5d0fadd942c7a3a87cd720d4eb3cd2b07efcc62bbade342b967db526508aede6749d2f226c3a8e8e |
memory/1020-121-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/3408-124-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | dc5be680338fb45308305f88c9341f41 |
| SHA1 | fa90175ad909f71da8e9e5b702fc32546786e65b |
| SHA256 | e67c8a763fa0d3a3b5fc2cf5551d0cea5511ef1b2f40e8fcaf3b0c07627d0a08 |
| SHA512 | cb0b7c8444f35fea6799544eef70b10dadc1b612739971d99a0bd210ab6dc4c438518a6d6dcac4733e6b812d21db9460f9429385745515d77428c412381040a3 |
memory/4036-138-0x0000000005BD0000-0x0000000005F27000-memory.dmp
memory/4036-141-0x00000000705D0000-0x0000000070927000-memory.dmp
memory/4036-140-0x0000000070430000-0x000000007047C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9b598f3e8a47090e65fd70b71f49a139 |
| SHA1 | 9ec081e32ab383072bdb90dd21748893ad2c7668 |
| SHA256 | 1be386d766aa3e4558244e3cf734d4d7822b6d06dfe65ece17bffab76adf392a |
| SHA512 | b5673ff808c8538002ddcb6f9df99b6580901735463b2397145eea009eac094a0bf118770447de125041d5a35cebf646b719c51c4f2ee2394d9e82f3142c30e2 |
memory/4656-159-0x0000000005EA0000-0x00000000061F7000-memory.dmp
memory/4656-161-0x00000000066F0000-0x000000000673C000-memory.dmp
memory/4656-162-0x0000000070350000-0x000000007039C000-memory.dmp
memory/4656-163-0x00000000704D0000-0x0000000070827000-memory.dmp
memory/4656-172-0x0000000007540000-0x00000000075E4000-memory.dmp
memory/4656-173-0x0000000007870000-0x0000000007881000-memory.dmp
memory/4656-174-0x0000000005C90000-0x0000000005CA5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 10f777d63a1e98cb47f4f8272d1f4495 |
| SHA1 | 2932bfaa055e03dd275274ffc60e8fd5e8278df6 |
| SHA256 | 185325487390d7d9f7fe574702a698bbb4be16a791ecee94d617abbaa09b2e12 |
| SHA512 | e8bb6d3ce00bb52e92199a3cc6694098c26d7725c50c5e837c5e856bec5b208ce2076553961110a18d04207b9404401fea19fe2601d7b38416d3967f8d176f5f |
memory/3048-181-0x0000000005E30000-0x0000000006187000-memory.dmp
memory/3048-187-0x00000000705A0000-0x00000000708F7000-memory.dmp
memory/3048-186-0x0000000070350000-0x000000007039C000-memory.dmp
memory/1020-196-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-197-0x0000000000400000-0x0000000002B0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/916-209-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/916-213-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/912-212-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1016-215-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/912-219-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1016-218-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-222-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/912-227-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1016-226-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-230-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-233-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/912-237-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1016-239-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-242-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-246-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-250-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/1016-253-0x0000000000400000-0x0000000002B0D000-memory.dmp