glupteba | be33ed4f9d804207cde82fe2402766243c4739a2c4d9319cf4781858eca82e07

General

Target

f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
Size

4.4MB
MD5

f50d7e5eb828c1b64b674b1decf32416
SHA1

1d2dfe56e6693572cebc72ce617a03070798c7a3
SHA256

be33ed4f9d804207cde82fe2402766243c4739a2c4d9319cf4781858eca82e07
SHA512

269bae52d7877fa4a138cb3106402a5d7cff2132e8448b559c40ee1515ff88b548ea37a22e59da29c790f20a22e64fa22993d35a6788b85507808cd8c7653eab
SSDEEP

98304:iQRi8rzyu4absB48jEzr5ufxD7k4eArxz3JAq6B:iQRiiKabU4YEzFux04fxWlB

Score

10^/10

glupteba metasploit backdoor dropper evasion loader trojan

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4764-2-0x0000000005150000-0x0000000005A76000-memory.dmp	family_glupteba
behavioral2/memory/4764-3-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/4764-4-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/4764-6-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/4764-7-0x0000000005150000-0x0000000005A76000-memory.dmp	family_glupteba
behavioral2/memory/1432-9-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/1432-10-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/1432-14-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/224-18-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba
behavioral2/memory/224-19-0x0000000000400000-0x00000000030EF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1304 netsh.exe

pid	process
1304	netsh.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
260	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2352	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
3828	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4280	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
396	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4476	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2284	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2496	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
3104	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4704	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2112	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
1644	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4924	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4904	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
620	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2328	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
1636	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4292	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
3160	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2624	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4488	4764	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4892	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4468	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
1016	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
1688	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
832	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4120	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4908	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
3404	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2300	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
968	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2772	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4600	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
3872	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
5056	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
1992	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4344	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4764	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
5108	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
4824	1432	WerFault.exe	f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
2444	224	WerFault.exe	csrss.exe
2496	224	WerFault.exe	csrss.exe
2508	224	WerFault.exe	csrss.exe
3708	224	WerFault.exe	csrss.exe
4908	224	WerFault.exe	csrss.exe
3404	224	WerFault.exe	csrss.exe
4596	224	WerFault.exe	csrss.exe
4112	224	WerFault.exe	csrss.exe
2772	224	WerFault.exe	csrss.exe
3176	224	WerFault.exe	csrss.exe
3872	224	WerFault.exe	csrss.exe
2176	224	WerFault.exe	csrss.exe
3920	224	WerFault.exe	csrss.exe
2380	224	WerFault.exe	csrss.exe
4452	224	WerFault.exe	csrss.exe
3276	224	WerFault.exe	csrss.exe
4700	224	WerFault.exe	csrss.exe
2656	224	WerFault.exe	csrss.exe
3132	224	WerFault.exe	csrss.exe
396	224	WerFault.exe	csrss.exe
3556	224	WerFault.exe	csrss.exe
2444	224	WerFault.exe	csrss.exe
2496	224	WerFault.exe	csrss.exe
832	224	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2520 schtasks.exe
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 45 Go-http-client/1.1
HTTP User-Agent header 55 Go-http-client/1.1
HTTP User-Agent header 56 Go-http-client/1.1

pid	process
2520	schtasks.exe

description	flow	ioc
HTTP User-Agent header	45	Go-http-client/1.1
HTTP User-Agent header	55	Go-http-client/1.1
HTTP User-Agent header	56	Go-http-client/1.1

C:\Users\Admin\AppData\Local\Temp\f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe"
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 368
2⤵
- Program crash
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 388
2⤵
- Program crash
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 388
2⤵
- Program crash
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 604
2⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 688
2⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 720
2⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 712
2⤵
- Program crash
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 748
2⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 776
2⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 740
2⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 840
2⤵
- Program crash
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 756
2⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 872
2⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 628
2⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 888
2⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 776
2⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 828
2⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 848
2⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 836
2⤵
- Program crash
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 696
2⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 856
2⤵
- Program crash
PID:4488

C:\Users\Admin\AppData\Local\Temp\f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f50d7e5eb828c1b64b674b1decf32416_JaffaCakes118.exe"
2⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 332
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 336
3⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 336
3⤵
- Program crash
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 592
3⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 668
3⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 668
3⤵
- Program crash
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 668
3⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 700
3⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 732
3⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 716
3⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 680
3⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 840
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 660
3⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 884
3⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 896
3⤵
- Program crash
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 936
3⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1332
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1448
3⤵
- Program crash
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:3740

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1456
3⤵
- Program crash
PID:4824

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /200-200
3⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 372
4⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 376
4⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 376
4⤵
- Program crash
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 664
4⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 704
4⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 720
4⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 704
4⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 736
4⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 752
4⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 752
4⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 740
4⤵
- Program crash
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 424
4⤵
- Program crash
PID:2176

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 848
4⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 880
4⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 880
4⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 972
4⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1036
4⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1112
4⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 972
4⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1124
4⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1116
4⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 940
4⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1616
4⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1560
4⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1644
4⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1692
4⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1560
4⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1712
4⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1608
4⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 4764
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4764 -ip 4764
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4764 -ip 4764
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4764 -ip 4764
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4764 -ip 4764
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4764 -ip 4764
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4764 -ip 4764
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4764 -ip 4764
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4764 -ip 4764
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4764 -ip 4764
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4764 -ip 4764
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4764 -ip 4764
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4764 -ip 4764
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4764 -ip 4764
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4764 -ip 4764
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4764 -ip 4764
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4764 -ip 4764
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4764 -ip 4764
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4764 -ip 4764
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4764 -ip 4764
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4764 -ip 4764
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1432 -ip 1432
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1432 -ip 1432
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1432 -ip 1432
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1432 -ip 1432
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1432 -ip 1432
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1432 -ip 1432
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1432 -ip 1432
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1432 -ip 1432
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1432 -ip 1432
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1432 -ip 1432
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1432 -ip 1432
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1432 -ip 1432
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1432 -ip 1432
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1432 -ip 1432
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1432 -ip 1432
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1432 -ip 1432
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1432 -ip 1432
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1432 -ip 1432
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1432 -ip 1432
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 224 -ip 224
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 224 -ip 224
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 224 -ip 224
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 224 -ip 224
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 224 -ip 224
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 224 -ip 224
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 224 -ip 224
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 224 -ip 224
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 224 -ip 224
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 224 -ip 224
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 224 -ip 224
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 224 -ip 224
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 224 -ip 224
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 224 -ip 224
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 224 -ip 224
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 224 -ip 224
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 224 -ip 224
1⤵
PID:260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 224 -ip 224
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 224 -ip 224
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 224 -ip 224
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 224 -ip 224
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 224 -ip 224
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 224 -ip 224
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 224 -ip 224
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 224 -ip 224
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 224 -ip 224
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 224 -ip 224
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 224 -ip 224
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 224 -ip 224
1⤵
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.4MB

MD5
f50d7e5eb828c1b64b674b1decf32416

SHA1
1d2dfe56e6693572cebc72ce617a03070798c7a3

SHA256
be33ed4f9d804207cde82fe2402766243c4739a2c4d9319cf4781858eca82e07

SHA512
269bae52d7877fa4a138cb3106402a5d7cff2132e8448b559c40ee1515ff88b548ea37a22e59da29c790f20a22e64fa22993d35a6788b85507808cd8c7653eab

Download Submit
memory/224-28-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-26-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/224-18-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-19-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-33-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-32-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-31-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-30-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-29-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-20-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-27-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-34-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/224-17-0x0000000005200000-0x0000000005700000-memory.dmp

Filesize
5.0MB

Download
memory/1432-10-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/1432-14-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/1432-9-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/1432-8-0x0000000004EB0000-0x00000000052F5000-memory.dmp

Filesize
4.3MB

Download
memory/4764-2-0x0000000005150000-0x0000000005A76000-memory.dmp

Filesize
9.1MB

Download
memory/4764-6-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/4764-1-0x0000000004D10000-0x000000000514F000-memory.dmp

Filesize
4.2MB

Download
memory/4764-3-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/4764-4-0x0000000000400000-0x00000000030EF000-memory.dmp

Filesize
44.9MB

Download
memory/4764-7-0x0000000005150000-0x0000000005A76000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads