glupteba | 38d0497642677bb199f9724cc4c173bce0247540e5b2ea5c2a45f2855f58f45a

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
09-12-2023 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

211KB
MD5

6e6263a63f0e602511310e87ff141a4a
SHA1

0c1416ddbf80229e8cd5688eaf1ba1388260d308
SHA256

38d0497642677bb199f9724cc4c173bce0247540e5b2ea5c2a45f2855f58f45a
SHA512

d17c81e9c0d8cc411073b7f72ee5fedf098d260f825ae3605c453670136f38352b746e5acd23c0e1bc212c4fb09acf9435c37395e6ce72e7cd5f502bf29a60cd
SSDEEP

3072:4qGLRbCrLaEYlkxOryDqz5ctMcULW80R9Ax:lGLReruEYlTry2zprLL

Score

10^/10

glupteba raccoon redline smokeloader logsdiller cloud (bot: @logsdillabot)pub1 backdoor collection discovery dropper evasion infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

57.128.155.22:20154

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/564-114-0x00000000029C0000-0x00000000032AB000-memory.dmp	family_glupteba
behavioral1/memory/564-116-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/564-167-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/564-188-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-192-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-201-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-207-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-240-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-305-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-308-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-323-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-326-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2752-332-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-22-0x0000000000230000-0x0000000000246000-memory.dmp	family_raccoon_v2
behavioral1/memory/2796-23-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2796-54-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1500-44-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1500-45-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1500-47-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1500-49-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1500-51-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1500-53-0x0000000007380000-0x00000000073C0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3C89.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3C89.exe = "0"	3C89.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

CEF.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CEF.exe
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3036 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CEF.exe

pid	process
3036	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CEF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CEF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CEF.exe

Deletes itself 1 IoCs

Processes:

pid process

1204
Executes dropped EXE 11 IoCs

Processes:

D421.exeE8BC.exeCEF.exe2DE8.exe3C89.exe5BFB.exe5BFB.tmp3C89.execsrss.exepatch.exeinjector.exe

pid process

2796 D421.exe
280 E8BC.exe
1792 CEF.exe
1752 2DE8.exe
564 3C89.exe
2864 5BFB.exe
1392 5BFB.tmp
1104 3C89.exe
2752 csrss.exe
2528 patch.exe
752 injector.exe

pid	process
1204

pid	process
2796	D421.exe
280	E8BC.exe
1792	CEF.exe
1752	2DE8.exe
564	3C89.exe
2864	5BFB.exe
1392	5BFB.tmp
1104	3C89.exe
2752	csrss.exe
2528	patch.exe
752	injector.exe

Loads dropped DLL 15 IoCs

Processes:

regsvr32.exe5BFB.exe5BFB.tmp3C89.exepatch.execsrss.exe

pid	process
2940	regsvr32.exe
2864	5BFB.exe
1392	5BFB.tmp
1392	5BFB.tmp
1392	5BFB.tmp
1392	5BFB.tmp
1104	3C89.exe
1104	3C89.exe
844
2528	patch.exe
2528	patch.exe
2752	csrss.exe
2528	patch.exe
2528	patch.exe
2528	patch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\CEF.exe	themida
behavioral1/memory/1792-81-0x0000000000C00000-0x0000000001804000-memory.dmp	themida
behavioral1/memory/1792-79-0x0000000000C00000-0x0000000001804000-memory.dmp	themida

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3C89.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3C89.exe = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3C89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3C89.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3C89.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3C89.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CEF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CEF.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

CEF.exe

pid process

1792 CEF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

E8BC.exe

description pid process target process

PID 280 set thread context of 1500 280 E8BC.exe AppLaunch.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

3C89.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 3C89.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CEF.exe

pid	process
1792	CEF.exe

description	pid	process	target process
PID 280 set thread context of 1500	280	E8BC.exe	AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	3C89.exe

Drops file in Program Files directory 5 IoCs

Processes:

5BFB.tmp

description	ioc	process
File created	C:\Program Files (x86)\VoiceAssistant\uninstall\unins000.dat	5BFB.tmp
File created	C:\Program Files (x86)\VoiceAssistant\uninstall\is-QCQHN.tmp	5BFB.tmp
File created	C:\Program Files (x86)\VoiceAssistant\stuff\is-FCK1G.tmp	5BFB.tmp
File created	C:\Program Files (x86)\VoiceAssistant\stuff\is-F6KSM.tmp	5BFB.tmp
File created	C:\Program Files (x86)\VoiceAssistant\stuff\is-I481Q.tmp	5BFB.tmp

Drops file in Windows directory 3 IoCs

Processes:

3C89.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	3C89.exe
File created	C:\Windows\rss\csrss.exe	3C89.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231209191238.cab	makecab.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe2DE8.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2DE8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2720 schtasks.exe

pid	process
2720	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

3C89.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	3C89.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	3C89.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	3C89.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1728	file.exe
1728	file.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exe2DE8.exe

pid process

1728 file.exe
1752 2DE8.exe
1204
1204
1204
1204

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

CEF.exe3C89.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	1792	CEF.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeDebugPrivilege	564	3C89.exe
Token: SeImpersonatePrivilege	564	3C89.exe
Token: SeSystemEnvironmentPrivilege	2752	csrss.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

5BFB.tmp

pid process

1204
1204
1392 5BFB.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1204
1204

pid	process
1204
1204
1392	5BFB.tmp

pid	process
1204
1204

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeE8BC.exe5BFB.exe

description	pid	process	target process
PID 1204 wrote to memory of 2796	1204		D421.exe
PID 1204 wrote to memory of 2796	1204		D421.exe
PID 1204 wrote to memory of 2796	1204		D421.exe
PID 1204 wrote to memory of 2796	1204		D421.exe
PID 1204 wrote to memory of 2560	1204		regsvr32.exe
PID 1204 wrote to memory of 2560	1204		regsvr32.exe
PID 1204 wrote to memory of 2560	1204		regsvr32.exe
PID 1204 wrote to memory of 2560	1204		regsvr32.exe
PID 1204 wrote to memory of 2560	1204		regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 2560 wrote to memory of 2940	2560	regsvr32.exe	regsvr32.exe
PID 1204 wrote to memory of 280	1204		E8BC.exe
PID 1204 wrote to memory of 280	1204		E8BC.exe
PID 1204 wrote to memory of 280	1204		E8BC.exe
PID 1204 wrote to memory of 280	1204		E8BC.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 280 wrote to memory of 1500	280	E8BC.exe	AppLaunch.exe
PID 1204 wrote to memory of 1792	1204		CEF.exe
PID 1204 wrote to memory of 1792	1204		CEF.exe
PID 1204 wrote to memory of 1792	1204		CEF.exe
PID 1204 wrote to memory of 1792	1204		CEF.exe
PID 1204 wrote to memory of 1752	1204		2DE8.exe
PID 1204 wrote to memory of 1752	1204		2DE8.exe
PID 1204 wrote to memory of 1752	1204		2DE8.exe
PID 1204 wrote to memory of 1752	1204		2DE8.exe
PID 1204 wrote to memory of 564	1204		3C89.exe
PID 1204 wrote to memory of 564	1204		3C89.exe
PID 1204 wrote to memory of 564	1204		3C89.exe
PID 1204 wrote to memory of 564	1204		3C89.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 1204 wrote to memory of 2864	1204		5BFB.exe
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 2864 wrote to memory of 1392	2864	5BFB.exe	5BFB.tmp
PID 1204 wrote to memory of 1660	1204		explorer.exe
PID 1204 wrote to memory of 1660	1204		explorer.exe
PID 1204 wrote to memory of 1660	1204		explorer.exe
PID 1204 wrote to memory of 1660	1204		explorer.exe
PID 1204 wrote to memory of 1660	1204		explorer.exe
PID 1204 wrote to memory of 2936	1204		explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1728

C:\Users\Admin\AppData\Local\Temp\D421.exe
C:\Users\Admin\AppData\Local\Temp\D421.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DC8A.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\DC8A.dll
2⤵
- Loads dropped DLL
PID:2940

C:\Users\Admin\AppData\Local\Temp\E8BC.exe
C:\Users\Admin\AppData\Local\Temp\E8BC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\CEF.exe
C:\Users\Admin\AppData\Local\Temp\CEF.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\2DE8.exe
C:\Users\Admin\AppData\Local\Temp\2DE8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Users\Admin\AppData\Local\Temp\3C89.exe
C:\Users\Admin\AppData\Local\Temp\3C89.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Users\Admin\AppData\Local\Temp\3C89.exe
"C:\Users\Admin\AppData\Local\Temp\3C89.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:2200

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3036

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2528

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:752

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231209191238.log C:\Windows\Logs\CBS\CbsPersist_20231209191238.cab
1⤵
- Drops file in Windows directory
PID:956

C:\Users\Admin\AppData\Local\Temp\5BFB.exe
C:\Users\Admin\AppData\Local\Temp\5BFB.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\is-445RU.tmp\5BFB.tmp
"C:\Users\Admin\AppData\Local\Temp\is-445RU.tmp\5BFB.tmp" /SL5="$50162,7429766,54272,C:\Users\Admin\AppData\Local\Temp\5BFB.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DE8.exe

Filesize
212KB

MD5
c530211a06fe7c0aa83ab4d514ef1098

SHA1
21dd6462fb613ac1a71465164b18216efae168bf

SHA256
4a5a19a2839b5d4dc586e75ac0a7adf3f3403fb995f5e787fd8e5ec7a4d5738a

SHA512
539f797ec676ee17e50068e3f27810238e5111771430092c21df1ec624523c878dc1192ed6c51694cbe300d144d23005ad2e4b3de5340919d63908fdedaa3d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DE8.exe

Filesize
212KB

MD5
c530211a06fe7c0aa83ab4d514ef1098

SHA1
21dd6462fb613ac1a71465164b18216efae168bf

SHA256
4a5a19a2839b5d4dc586e75ac0a7adf3f3403fb995f5e787fd8e5ec7a4d5738a

SHA512
539f797ec676ee17e50068e3f27810238e5111771430092c21df1ec624523c878dc1192ed6c51694cbe300d144d23005ad2e4b3de5340919d63908fdedaa3d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3C89.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BFB.exe

Filesize
7.3MB

MD5
68af173b6ee61587d71fa50b3c670c52

SHA1
2e379d6397c86ba89ecc4ee727de4f34415fb7a2

SHA256
7219c9f7b31d5c75ef6a48ecea59c66d9a086b9c26d41c89f023023c64fcbdb0

SHA512
4fd6ba41db389c448bbc6aee43e99a507e7b91fe3f7f57559a16bdc434097c88cd226ab8caa73447711f0e05a5552b6e31326b810b65f1734c4df1b42b918f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BFB.exe

Filesize
7.3MB

MD5
68af173b6ee61587d71fa50b3c670c52

SHA1
2e379d6397c86ba89ecc4ee727de4f34415fb7a2

SHA256
7219c9f7b31d5c75ef6a48ecea59c66d9a086b9c26d41c89f023023c64fcbdb0

SHA512
4fd6ba41db389c448bbc6aee43e99a507e7b91fe3f7f57559a16bdc434097c88cd226ab8caa73447711f0e05a5552b6e31326b810b65f1734c4df1b42b918f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEF.exe

Filesize
4.2MB

MD5
33c6731fb7512630217f405efc5c71b4

SHA1
bf483f230f4bbaf53e0610182ef9f94a95dcb67a

SHA256
0fb245e80fdb23c83dcef3ee510e7633acb208c1b07b825f0b6764c8faf5700b

SHA512
eea6ee3169b2eaecaf84e78e42372d1000938f7eefb0bfb75a1b87a612676f89b1473fdbf1c7c4caf3949dae6eecbb9e39f85fb2abc2d702bdbc8ee3ce60fd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA7B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D421.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\D421.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC8A.dll

Filesize
3.0MB

MD5
18356cbd55de61190244f9be22cf2f6d

SHA1
98510c90b004e98090a1462bf056fa916f1f2e0a

SHA256
fdf19145c1592639e437eeca85b1538afb20835d0c87684378089fd03bc6d0f8

SHA512
5c043e414428d03a71f61512b2f18a5b1392296830c21d00276ad03578c7614456615cdf8bf96a8201925bd5520cdddd6b1dfeb1dd93c1f649d7a4a89a14fdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8BC.exe

Filesize
1.9MB

MD5
5251ab2960cc14aa925735a84fce288c

SHA1
6e6080511b0ad8a68729b190b1597a65d5ab867b

SHA256
fa7f8898a16a926ef1df7f9560a3a16847d8e7e7ba14da99198c9548ad939319

SHA512
08225b3319ea576ccffa1e97a27ad37cd0bf7d8427b587a13f4412a6ec8e834cb2564d1587f678e352022ee07e423df6ba19dab7dba47d1cf88d24368439b289

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8BC.exe

Filesize
1.9MB

MD5
5251ab2960cc14aa925735a84fce288c

SHA1
6e6080511b0ad8a68729b190b1597a65d5ab867b

SHA256
fa7f8898a16a926ef1df7f9560a3a16847d8e7e7ba14da99198c9548ad939319

SHA512
08225b3319ea576ccffa1e97a27ad37cd0bf7d8427b587a13f4412a6ec8e834cb2564d1587f678e352022ee07e423df6ba19dab7dba47d1cf88d24368439b289

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBFC0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-445RU.tmp\5BFB.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
\??\c:\users\admin\appdata\local\temp\is-445ru.tmp\5bfb.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
\Users\Admin\AppData\Local\Temp\DC8A.dll

Filesize
3.0MB

MD5
18356cbd55de61190244f9be22cf2f6d

SHA1
98510c90b004e98090a1462bf056fa916f1f2e0a

SHA256
fdf19145c1592639e437eeca85b1538afb20835d0c87684378089fd03bc6d0f8

SHA512
5c043e414428d03a71f61512b2f18a5b1392296830c21d00276ad03578c7614456615cdf8bf96a8201925bd5520cdddd6b1dfeb1dd93c1f649d7a4a89a14fdbe

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OHB7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OHB7.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OHB7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-0OHB7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-445RU.tmp\5BFB.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
cd5746d86404c8616fdd39e1534941b9

SHA1
60a8a9bba3ad19069af8d18a16ed433e89a9e381

SHA256
d5af5aa139be830b6b51e5bb568afc242900d10cafa51257cde37914e22680fd

SHA512
1d36af9fe458d6a51980492e073f21ca5c0ff35b734c6719805f01062dd034110ae1ac57d378998078d6397484a013e571bd73bc9382393a549a98c7f0937bcd

Download Submit
memory/564-167-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/564-188-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/564-110-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/564-116-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/564-114-0x00000000029C0000-0x00000000032AB000-memory.dmp

Filesize
8.9MB

Download
memory/564-113-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/1104-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-191-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/1104-189-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/1204-4-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/1204-115-0x00000000039A0000-0x00000000039B6000-memory.dmp

Filesize
88KB

Download
memory/1392-206-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1392-161-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1500-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-53-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/1500-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-112-0x0000000007380000-0x00000000073C0000-memory.dmp

Filesize
256KB

Download
memory/1500-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-93-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1500-51-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1500-52-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-143-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/1660-179-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/1660-183-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/1728-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1728-5-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1728-3-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1728-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/1752-102-0x00000000001C0000-0x00000000001CB000-memory.dmp

Filesize
44KB

Download
memory/1752-101-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1752-103-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/1752-117-0x0000000000400000-0x0000000000857000-memory.dmp

Filesize
4.3MB

Download
memory/1792-66-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-83-0x0000000075C50000-0x0000000075C97000-memory.dmp

Filesize
284KB

Download
memory/1792-67-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-60-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-131-0x0000000000C00000-0x0000000001804000-memory.dmp

Filesize
12.0MB

Download
memory/1792-59-0x0000000000C00000-0x0000000001804000-memory.dmp

Filesize
12.0MB

Download
memory/1792-132-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-68-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-62-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-64-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-148-0x0000000075C50000-0x0000000075C97000-memory.dmp

Filesize
284KB

Download
memory/1792-63-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-65-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-149-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-91-0x0000000007E40000-0x0000000007E80000-memory.dmp

Filesize
256KB

Download
memory/1792-71-0x0000000075C50000-0x0000000075C97000-memory.dmp

Filesize
284KB

Download
memory/1792-157-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-151-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-89-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-88-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1792-86-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-87-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-186-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1792-73-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-75-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-78-0x0000000075C50000-0x0000000075C97000-memory.dmp

Filesize
284KB

Download
memory/1792-85-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-84-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-79-0x0000000000C00000-0x0000000001804000-memory.dmp

Filesize
12.0MB

Download
memory/1792-190-0x0000000007E40000-0x0000000007E80000-memory.dmp

Filesize
256KB

Download
memory/1792-82-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-61-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-80-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-81-0x0000000000C00000-0x0000000001804000-memory.dmp

Filesize
12.0MB

Download
memory/1792-77-0x0000000077220000-0x0000000077330000-memory.dmp

Filesize
1.1MB

Download
memory/1792-76-0x0000000075C50000-0x0000000075C97000-memory.dmp

Filesize
284KB

Download
memory/2528-214-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2752-323-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-326-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-336-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-202-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2752-332-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-308-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2752-205-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2796-54-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2796-23-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2796-21-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/2796-22-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2796-90-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/2864-204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2864-127-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2936-184-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2936-185-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/2940-34-0x0000000002520000-0x0000000002624000-memory.dmp

Filesize
1.0MB

Download
memory/2940-28-0x0000000010000000-0x00000000102FF000-memory.dmp

Filesize
3.0MB

Download
memory/2940-27-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2940-30-0x00000000023F0000-0x0000000002511000-memory.dmp

Filesize
1.1MB

Download
memory/2940-31-0x0000000002520000-0x0000000002624000-memory.dmp

Filesize
1.0MB

Download
memory/2940-32-0x0000000002520000-0x0000000002624000-memory.dmp

Filesize
1.0MB

Download
memory/2940-35-0x0000000002520000-0x0000000002624000-memory.dmp

Filesize
1.0MB

Download