Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe
Resource
win10v2004-20220414-en
General
-
Target
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe
-
Size
3.8MB
-
MD5
e2bcfb552fd8fdb88da751306f4bea2a
-
SHA1
b99331f2858f7ee67ea907419c0769fe2279b672
-
SHA256
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c
-
SHA512
31746515c1278da7a61e6d3a189eb42415265d6d5b364773bd3abd6284d5d7782792c1a357c20e18aca1820db17ea160eec9fa406c2f1019c322de390f262767
Malware Config
Signatures
-
Glupteba Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/956-131-0x00000000040D0000-0x00000000047BF000-memory.dmp family_glupteba behavioral2/memory/956-132-0x0000000000400000-0x0000000003A72000-memory.dmp family_glupteba behavioral2/memory/4508-135-0x0000000000400000-0x0000000003A72000-memory.dmp family_glupteba behavioral2/memory/4664-144-0x0000000000400000-0x0000000003A72000-memory.dmp family_glupteba -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1980 created 956 1980 svchost.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 4664 csrss.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FallingWildflower = "\"C:\\Windows\\rss\\csrss.exe\"" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe -
Drops file in Windows directory 2 IoCs
Processes:
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exedescription ioc process File opened for modification C:\Windows\rss 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe File created C:\Windows\rss\csrss.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe -
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2624 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 1072 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4368 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4860 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2884 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 5112 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2336 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 1432 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2268 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 204 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4988 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3880 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3268 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3676 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2824 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2444 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3424 956 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3280 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4708 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 2124 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4788 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4476 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 928 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 1088 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3456 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 1124 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3648 4508 WerFault.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 3920 4664 WerFault.exe csrss.exe 3716 4664 WerFault.exe csrss.exe 1152 4664 WerFault.exe csrss.exe 4084 4664 WerFault.exe csrss.exe 4332 4664 WerFault.exe csrss.exe 4640 4664 WerFault.exe csrss.exe 2756 4664 WerFault.exe csrss.exe 4092 4664 WerFault.exe csrss.exe 3212 4664 WerFault.exe csrss.exe 1308 4664 WerFault.exe csrss.exe 3020 4664 WerFault.exe csrss.exe 112 4664 WerFault.exe csrss.exe 1532 4664 WerFault.exe csrss.exe 3880 4664 WerFault.exe csrss.exe 3268 4664 WerFault.exe csrss.exe 2776 4664 WerFault.exe csrss.exe 2216 4664 WerFault.exe csrss.exe 4404 4664 WerFault.exe csrss.exe 1760 4664 WerFault.exe csrss.exe 956 4664 WerFault.exe csrss.exe 4112 4664 WerFault.exe csrss.exe 4056 4664 WerFault.exe csrss.exe 912 4664 WerFault.exe csrss.exe 1536 4664 WerFault.exe csrss.exe 2308 4664 WerFault.exe csrss.exe 968 4664 WerFault.exe csrss.exe 4708 4664 WerFault.exe csrss.exe 884 4664 WerFault.exe csrss.exe 3008 4664 WerFault.exe csrss.exe 4584 4664 WerFault.exe csrss.exe 4632 4664 WerFault.exe csrss.exe 1320 4664 WerFault.exe csrss.exe 4944 4664 WerFault.exe csrss.exe 1200 4664 WerFault.exe csrss.exe 1124 4664 WerFault.exe csrss.exe 3500 4664 WerFault.exe csrss.exe 3648 4664 WerFault.exe csrss.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.execsrss.exepid process 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe 4664 csrss.exe 4664 csrss.exe 4664 csrss.exe 4664 csrss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exesvchost.exedescription pid process Token: SeDebugPrivilege 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Token: SeImpersonatePrivilege 956 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe Token: SeTcbPrivilege 1980 svchost.exe Token: SeTcbPrivilege 1980 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
svchost.exe025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.execmd.execmd.exedescription pid process target process PID 1980 wrote to memory of 4508 1980 svchost.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe PID 1980 wrote to memory of 4508 1980 svchost.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe PID 1980 wrote to memory of 4508 1980 svchost.exe 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe PID 4508 wrote to memory of 1656 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe cmd.exe PID 4508 wrote to memory of 1656 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe cmd.exe PID 1656 wrote to memory of 4136 1656 cmd.exe netsh.exe PID 1656 wrote to memory of 4136 1656 cmd.exe netsh.exe PID 4508 wrote to memory of 5048 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe cmd.exe PID 4508 wrote to memory of 5048 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe cmd.exe PID 5048 wrote to memory of 2220 5048 cmd.exe netsh.exe PID 5048 wrote to memory of 2220 5048 cmd.exe netsh.exe PID 4508 wrote to memory of 4664 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe csrss.exe PID 4508 wrote to memory of 4664 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe csrss.exe PID 4508 wrote to memory of 4664 4508 025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe"C:\Users\Admin\AppData\Local\Temp\025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 3282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 3322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 3322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 6002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 8242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 8322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 8522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 8482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 8522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 7842⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe"C:\Users\Admin\AppData\Local\Temp\025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 3043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 5323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 7563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 8443⤵
- Program crash
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" enable=yes4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 3564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 3404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8604⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7524⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 9844⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10444⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10644⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10564⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10924⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10524⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12244⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11364⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8284⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10524⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11884⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11884⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10764⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12604⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10684⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11684⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7084⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12404⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11004⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10924⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11924⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11244⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10564⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10924⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11364⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11684⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12644⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12644⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8284⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10924⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7084⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10764⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12724⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 10924⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11644⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12404⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 11964⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 9561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 956 -ip 9561⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4508 -ip 45081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4664 -ip 46641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4664 -ip 46641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD5e2bcfb552fd8fdb88da751306f4bea2a
SHA1b99331f2858f7ee67ea907419c0769fe2279b672
SHA256025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c
SHA51231746515c1278da7a61e6d3a189eb42415265d6d5b364773bd3abd6284d5d7782792c1a357c20e18aca1820db17ea160eec9fa406c2f1019c322de390f262767
-
C:\Windows\rss\csrss.exeFilesize
3.8MB
MD5e2bcfb552fd8fdb88da751306f4bea2a
SHA1b99331f2858f7ee67ea907419c0769fe2279b672
SHA256025f3da46d16a6a0179a27b0f26d082e29358254a22e6af887b03106e9e9048c
SHA51231746515c1278da7a61e6d3a189eb42415265d6d5b364773bd3abd6284d5d7782792c1a357c20e18aca1820db17ea160eec9fa406c2f1019c322de390f262767
-
memory/956-131-0x00000000040D0000-0x00000000047BF000-memory.dmpFilesize
6.9MB
-
memory/956-132-0x0000000000400000-0x0000000003A72000-memory.dmpFilesize
54.4MB
-
memory/956-130-0x0000000003D2A000-0x00000000040CE000-memory.dmpFilesize
3.6MB
-
memory/1656-136-0x0000000000000000-mapping.dmp
-
memory/2220-139-0x0000000000000000-mapping.dmp
-
memory/4136-137-0x0000000000000000-mapping.dmp
-
memory/4508-135-0x0000000000400000-0x0000000003A72000-memory.dmpFilesize
54.4MB
-
memory/4508-134-0x0000000003D37000-0x00000000040DB000-memory.dmpFilesize
3.6MB
-
memory/4508-133-0x0000000000000000-mapping.dmp
-
memory/4664-140-0x0000000000000000-mapping.dmp
-
memory/4664-143-0x0000000004000000-0x00000000043A4000-memory.dmpFilesize
3.6MB
-
memory/4664-144-0x0000000000400000-0x0000000003A72000-memory.dmpFilesize
54.4MB
-
memory/5048-138-0x0000000000000000-mapping.dmp