glupteba | 2b3fbb77e5ed29f7ffbcb9a73cc1e467aed6447fcaf28a47d50f78c81fa17eaf

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

678KB
MD5

6c81e39fd156891a6e8bbf3d8355e54b
SHA1

3dba98dfcb96bed3f63e8d7524458127d1f8e877
SHA256

2b3fbb77e5ed29f7ffbcb9a73cc1e467aed6447fcaf28a47d50f78c81fa17eaf
SHA512

664bc397ce092bc555e4a0139607bf66993e5537d13e09c2f604bbbda4be081f85e2e0b4664e8525ecdb45509082d06ff2105808b6e3707930623718d0b3c51c
SSDEEP

12288:cjY/CBAkfIulEPWZmmdtpTkUtBYDxnnz5/ikp3tW9zgOX4sRqG1sqAQO1:F/C6kXNlS5KkqBnqGqqAQO1

Score

10^/10

glupteba discovery dropper evasion loader persistence trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 24 IoCs

resource	yara_rule
behavioral1/memory/1664-161-0x0000000002B50000-0x000000000343B000-memory.dmp	family_glupteba
behavioral1/memory/1664-162-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/396-179-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1664-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/396-185-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1664-186-0x0000000002B50000-0x000000000343B000-memory.dmp	family_glupteba
behavioral1/memory/2432-191-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2384-192-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2432-203-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-206-0x0000000002900000-0x00000000031EB000-memory.dmp	family_glupteba
behavioral1/memory/2236-207-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2384-208-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-253-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-265-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-274-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-285-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-288-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-290-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-291-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-292-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-294-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-303-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\qk8CpgNSlKwYpRVIJguVw9X7.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YCgJetloWOava1mzX57Sc7Be.exe = "0"	YCgJetloWOava1mzX57Sc7Be.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
572	netsh.exe
2216	netsh.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ouBHfSbk06B0Nmz9rAI9FgUk.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8VCTvRRxPB6FxHAy3y5vqCaO.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cwlJSEbrNAvKqUuiJ1d1oLz4.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OodsNgbaBCPiPGhFQJytFXRF.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0J0qj952tglYTGHHxE7teuv.bat	jsc.exe

Executes dropped EXE 8 IoCs

pid	Process
1664	qk8CpgNSlKwYpRVIJguVw9X7.exe
396	YCgJetloWOava1mzX57Sc7Be.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2236	csrss.exe
828	patch.exe
2792	injector.exe
1644	td2VJik5yLQdyPDaPUOfCoOS.exe

Loads dropped DLL 19 IoCs

pid	Process
3048	jsc.exe
3048	jsc.exe
3048	jsc.exe
3048	jsc.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
844	Process not Found
2236	csrss.exe
828	patch.exe
828	patch.exe
828	patch.exe
828	patch.exe
828	patch.exe
3048	jsc.exe
1644	td2VJik5yLQdyPDaPUOfCoOS.exe
1644	td2VJik5yLQdyPDaPUOfCoOS.exe
828	patch.exe
828	patch.exe
828	patch.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2852-0-0x000000013F9B0000-0x000000013FBBB000-memory.dmp	upx
behavioral1/memory/2852-7-0x000000013F9B0000-0x000000013FBBB000-memory.dmp	upx
behavioral1/files/0x000500000000f6f8-271.dat	upx
behavioral1/memory/3048-273-0x00000000080C0000-0x00000000085A8000-memory.dmp	upx
behavioral1/files/0x000500000000f6f8-275.dat	upx
behavioral1/files/0x000500000000f6f8-276.dat	upx
behavioral1/memory/1644-277-0x0000000000B50000-0x0000000001038000-memory.dmp	upx
behavioral1/memory/1644-286-0x0000000000B50000-0x0000000001038000-memory.dmp	upx
behavioral1/memory/1644-287-0x0000000000B50000-0x0000000001038000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\qk8CpgNSlKwYpRVIJguVw9X7.exe = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YCgJetloWOava1mzX57Sc7Be.exe = "0"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	qk8CpgNSlKwYpRVIJguVw9X7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	YCgJetloWOava1mzX57Sc7Be.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 3048	2852	file.exe	28

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	YCgJetloWOava1mzX57Sc7Be.exe
File opened (read-only)	\??\VBoxMiniRdrDN	qk8CpgNSlKwYpRVIJguVw9X7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	qk8CpgNSlKwYpRVIJguVw9X7.exe
File created	C:\Windows\rss\csrss.exe	qk8CpgNSlKwYpRVIJguVw9X7.exe
File opened for modification	C:\Windows\rss	YCgJetloWOava1mzX57Sc7Be.exe
File created	C:\Windows\rss\csrss.exe	YCgJetloWOava1mzX57Sc7Be.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240101175202.cab	makecab.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	qk8CpgNSlKwYpRVIJguVw9X7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	YCgJetloWOava1mzX57Sc7Be.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	YCgJetloWOava1mzX57Sc7Be.exe
1664	qk8CpgNSlKwYpRVIJguVw9X7.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2384	YCgJetloWOava1mzX57Sc7Be.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2432	qk8CpgNSlKwYpRVIJguVw9X7.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe
2792	injector.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	jsc.exe
Token: SeDebugPrivilege	396	YCgJetloWOava1mzX57Sc7Be.exe
Token: SeImpersonatePrivilege	396	YCgJetloWOava1mzX57Sc7Be.exe
Token: SeDebugPrivilege	1664	qk8CpgNSlKwYpRVIJguVw9X7.exe
Token: SeImpersonatePrivilege	1664	qk8CpgNSlKwYpRVIJguVw9X7.exe
Token: SeSystemEnvironmentPrivilege	2236	csrss.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 2852 wrote to memory of 3048	2852	file.exe	28
PID 3048 wrote to memory of 1664	3048	jsc.exe	29
PID 3048 wrote to memory of 1664	3048	jsc.exe	29
PID 3048 wrote to memory of 1664	3048	jsc.exe	29
PID 3048 wrote to memory of 1664	3048	jsc.exe	29
PID 3048 wrote to memory of 396	3048	jsc.exe	34
PID 3048 wrote to memory of 396	3048	jsc.exe	34
PID 3048 wrote to memory of 396	3048	jsc.exe	34
PID 3048 wrote to memory of 396	3048	jsc.exe	34
PID 2384 wrote to memory of 1112	2384	YCgJetloWOava1mzX57Sc7Be.exe	37
PID 2384 wrote to memory of 1112	2384	YCgJetloWOava1mzX57Sc7Be.exe	37
PID 2384 wrote to memory of 1112	2384	YCgJetloWOava1mzX57Sc7Be.exe	37
PID 2384 wrote to memory of 1112	2384	YCgJetloWOava1mzX57Sc7Be.exe	37
PID 1112 wrote to memory of 2216	1112	cmd.exe	41
PID 1112 wrote to memory of 2216	1112	cmd.exe	41
PID 1112 wrote to memory of 2216	1112	cmd.exe	41
PID 2432 wrote to memory of 2212	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	38
PID 2432 wrote to memory of 2212	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	38
PID 2432 wrote to memory of 2212	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	38
PID 2432 wrote to memory of 2212	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	38
PID 2212 wrote to memory of 572	2212	cmd.exe	40
PID 2212 wrote to memory of 572	2212	cmd.exe	40
PID 2212 wrote to memory of 572	2212	cmd.exe	40
PID 2432 wrote to memory of 2236	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	43
PID 2432 wrote to memory of 2236	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	43
PID 2432 wrote to memory of 2236	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	43
PID 2432 wrote to memory of 2236	2432	qk8CpgNSlKwYpRVIJguVw9X7.exe	43
PID 2236 wrote to memory of 2792	2236	csrss.exe	51
PID 2236 wrote to memory of 2792	2236	csrss.exe	51
PID 2236 wrote to memory of 2792	2236	csrss.exe	51
PID 2236 wrote to memory of 2792	2236	csrss.exe	51
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56
PID 3048 wrote to memory of 1644	3048	jsc.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe
    "C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
  - - C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe
      "C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:572
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2988
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2972
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
- - C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe
    "C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
  - - C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe
      "C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2216
- - C:\Users\Admin\Pictures\td2VJik5yLQdyPDaPUOfCoOS.exe
    "C:\Users\Admin\Pictures\td2VJik5yLQdyPDaPUOfCoOS.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240101175202.log C:\Windows\Logs\CBS\CbsPersist_20240101175202.cab
1⤵
- Drops file in Windows directory
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4c690dfe144524e599118e95a3f81d0

SHA1
9f668a753536277c110026d3ce23b2bfdc9e03a5

SHA256
44878fb1d2f156586f103a253c1595f4c403d817a740026f7f550d7f403c724d

SHA512
b56fe3086196acc23ec2d97913020b4ecc8de0d7cdf20fc4743c491f7095d62ce052b5880ce8e1f7e101d1896bdce9fa5b3204d187a303e8ffbd918f8319680b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9b20850678fedbab2ef8b97b1dfc641

SHA1
63ef32d562ebfdf3ae7b37fce7fec1007d1cf6da

SHA256
903291e67fcfa0b937a25ba58f6c81f164b8cb647b3afe197c8e83ac8203e1bd

SHA512
4f1c2108562c7abc89a25d44ba0b528960c195d6cf35a2b5f1bf3ef4db68798f50631682bb496b90fc77a20752938f62022cc73f1d8963d256be382cb70a5386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8488130f24a3682b3750d87946139c73

SHA1
7faed937b361a17a9e0a31ae8c86e39031238689

SHA256
fc4e73f60cdbbd2986555ef37a7eaf3c1f58e9f28f5b066919e699e333eaa2a2

SHA512
40ce538b0100501951a764729bebd7a20b469886670bd0f9162d809e494118465c2cdc21e1db0b367d9efbb053db1c8edba2b0aa406c573ccbbe3129b401e60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7679.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar76DA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
192KB

MD5
b0501abdb7e3d679dfeba1158d0b7cb0

SHA1
272a4664af0c6ba1ab40459656e60c5cfb3725ee

SHA256
ba77a33078a08cdc1dc6ff3fde2a7a1a9d5d2520a3ff74cc8ea95e288b1e3fc3

SHA512
1f36cce8c018f046a4fd19011dfd9914ac1b8708e95c06e44ff065b7aeac9b44da7630ce0f915a693a556b2257c3d8aa603d653d43f6a3690aec9c98dbdd7936

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.4MB

MD5
5ab827c79a39c500e9a18d7cf969291c

SHA1
4845a7f39470e098cb951fb3e0aa168a4f2f5ce8

SHA256
e6fe4e2507b900a97f8916ff2252fa36e932e26db523398abdacc55e2f09678c

SHA512
08f99e1fc97f78c764ef5a8173af024a57cb1f6258b739a958232ff8c5a20cbc15387c43b4370b8deda5ab58885605f61bb2dd51d62b570c08edba810f6c3f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
3.4MB

MD5
1f1821fc28134998be2fb5d4d866d4e9

SHA1
03bfbaa0e3a83d5073bf8b71e160beeb06883345

SHA256
f8ba8b48a615306a8b2a25238618d7c0a5c17c90d0322d538a7be7766053c1ed

SHA512
8f837a4eb7c7beb579a9bfda4affaddbb52f8a505e86f38be211d401d5f97a02c3e3061d8c19b2cb5197a705d7edd85845a82b0a4272f0ec2fc8239000032dc9

Download Submit
C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
4.1MB

MD5
c0fa709251c22177408ce0d371c2abef

SHA1
2a2458c25c85f25f49f66d5a59f7d9b9dc3edd8b

SHA256
d3ce1ff497b1c264f03ef71d35b5a7f2ac1f669c7a4266bd93f3cc4a1733d44d

SHA512
53d850da25767780e579f2e043e458183d6ed7d9b27ca7be56478588bf979ab46c3db71248cfe79ccb829bd8d2b654d114279c2e93b5edf6a954884aae3f6e62

Download Submit
C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
1.2MB

MD5
ccbdfe401ada20376c5e387a75bfc5e5

SHA1
e2915228156e5dfb9b302cb42df16f1e63743e9b

SHA256
4b33138db3e18debe564c74bc0ff1c4335c2a016b8aebf1423786957d26f051c

SHA512
606dc4b50fc178c82ee5b50c717629d492284aa4a6c8159a064a1abba67a6c93d65c87cf71649664bee7178ed6e8fd8706dd565f3f4a9b14e38d9cec43acdcf9

Download Submit
C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
28KB

MD5
d9aecce11740a22ce8835a4834850ac2

SHA1
bea35684ab6a354ad2dd81923a004257776a744a

SHA256
56148edabac50715c1d7c29347dbf0815eea3177d54ab4ec38e0e204a0bda5ac

SHA512
137888d98651a008f2a0f553f0e369e49f65fb7293c0ab17260efb27996f2e17290256058a354adce04591b46456d2a0bfd7b248b31e93d69d1e96c05c5a8ccd

Download Submit
C:\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
128KB

MD5
001e6809e60c2c91fd2a43402f4a831b

SHA1
2b010e3a4c24dd531fa3c6f9ca385266e3ab9dbb

SHA256
56d5c8c9f9cdcad960ea7bea715d9b25267e042c07b4185c9711bd26da8ca473

SHA512
06dffa9462bad1314042b295849f0fd0210717cb510cfcdba43dc986bf33a7ad21363b33abf4e54aa906d791b1504c00413339cedace87a3fd4d6d37118d7cc3

Download Submit
C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe

Filesize
4.1MB

MD5
c927cc469b65de553987ff90facfd672

SHA1
31c961dff783fc42736c655c55a78b9f975b0ca7

SHA256
0d29228469926c7dcf86f3ec43f7107fdda086483244c4bf3e7b3e0af9a6d4ee

SHA512
72f44ecedd832b611f19c939f2096931364a9c4908a8463acb8ea66f61187e110b352ddab7b3cd3e88e050e09469ef49f0a8041dbdfa46e824d144b3a92377c7

Download Submit
C:\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe

Filesize
2.8MB

MD5
7fa746ad8962c69e86c2291c5b5bcc71

SHA1
53a8a9648a5773b5326380aa9dcccb4a2f1ddea5

SHA256
7a6967aa9aac8c51471d5a1cffefe406b51d56a6330f75288b385648b66ac583

SHA512
2b3be12fca81bbebe1635994a2c7fdc3a10981b4bfb8954e2cc492d1c7add8bd93d3ed6c777310644d4f933fd2b5ffb222954765a23e7c6afa274a0c96baa08e

Download Submit
C:\Users\Admin\Pictures\td2VJik5yLQdyPDaPUOfCoOS.exe

Filesize
1024KB

MD5
52097efd88978aa7392d88a58509fa70

SHA1
2f1bb3ed400b1c2914f41595dce35e28541ddd73

SHA256
fa6accc5b6400708863eb3775e18ba072e24d4206a5b8e7d35ef1c5ce1762217

SHA512
c551616c4aeb85e0aa507b5913bc08b10885d8cb7f45cf54bd6a0b4c07fa78faf56714a7a3f089acdc9d93d1a65823424747ef6b2368ea171910dda3ed6d9f17

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.8MB

MD5
167e084d460e4124400fe1a6b928a1ac

SHA1
d3ff7c9aff1caa7211d5f9e3f2ee73afb75da30d

SHA256
95de28c928459f8c6c32a747742d3569b5f1e1a4e11085ed184d32ca76f878be

SHA512
04efb2c7635fcdaeb72f967d4834b730b900aa83a96101ef22e8e8578e1376a9bc083dd6551059a30577a445ff52de1f3294b4a0aeefa0276b2521a346d36baf

Download Submit
C:\Windows\rss\csrss.exe

Filesize
960KB

MD5
e66e737c952e39de49c57a93051d2cb8

SHA1
a6986181d38fac5dbcfe8f8d508a8f41784f358d

SHA256
bca4281f737e307061975129e6de03ec477dbdadbcbab97f452ca9cfacef72e5

SHA512
a8c947a63afa9ebc3447aaffccf420e2a10cbca792fae91e9ef73483fc3c50d79457cd08fc54fd74eb82612a4d6d8b24bd5603c0168458d5bd1090b51d04edea

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401011752500221644.dll

Filesize
4.3MB

MD5
8cf8e93e2916d18389c23338d95ef472

SHA1
21adefb0dcdfbff39e31bcde8da84ce048adce54

SHA256
81e7a2fa505d364feb8477724cb38846e4f9744eb983b826b9283977a3c3f19e

SHA512
2cc2a42b3487327f11e8965a503a8decc413fc3b378bc5daae645838572233d15f0e8bff28ac55f125599f44e240e3171fd9ab8620d05f4785158fd3c07c1c68

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
192KB

MD5
e88cdcac69c9cbffe14f956e4f854108

SHA1
54f8d73d738b18bc148bee972ef37d74a6f12482

SHA256
34a074d4437e6a06d52ac2dc0c5b9b5a29fe31f49596bf70e4b04efb433368f0

SHA512
452e0c285c8d306e367cac029c72cc14751499e815d1f2c5d795a0f122a6ab3b7d4e7f96c4f115417c5d97e153de823031f819333b848bf2b44e9d7cde8d1987

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
4.2MB

MD5
6887c953e6af391e4c8f1f6878a56379

SHA1
82ee7f92839290a95a44fa79dccb1a65729b61ad

SHA256
96b63e731b21d1832ceccc40eb80f0bc0de24de5eaf74e6e675318a112025303

SHA512
3aeaca150f5bc8e37d322e89c01a1236b72437180bd881ba849b9f7456f10940e0bcee90aefd6e09b8ae49812759a4e58d518d8675db4ffb5b50f07678cde021

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
512KB

MD5
24a85c50f970600a1ff687638d9a8c99

SHA1
e0402650b06c8e76928f3f1cc1d2a3418565e2c7

SHA256
b734ffb7dc34344985a6dbe6f8cd01e07b8743f7679248455d2b29e5dc5943cd

SHA512
4170b1cc8e3f42c4cfe9b832d43669c022ba658b4f99428068e400a23f687b424bb0d3d6f8b8ac270a46d46c8284b01f6ba13a90a829a6ac1050e28cbc33b494

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
448KB

MD5
33f63e6278297e30159507b38e1e4424

SHA1
24f7158e8d2a8a74792557baeeeb7792039a10e0

SHA256
bb9e5d7e8667c94a45f99684bac7a72458beeeae50125310016e1269e2e0f6d5

SHA512
b7bb9196450a6da06eb1fb22f45e029a2ce41a42a7191abb1e4d8ca10c98993a94d2b36129194984ef85c59160cebaa24b9e59b0cc1c1f70a883895b598a9c4b

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\Opera_installer_2401011752517401644.dll

Filesize
1.7MB

MD5
d2395c098719e7662ad3745923dbf444

SHA1
83765da3a28827b90195d9449f177993a746e058

SHA256
69dd7598c717d938af847cb7951ff25f1462de76c5fdc090172b4e4f70e8d0d6

SHA512
714c210cbef3351a60f79977dedbc2445a9f0d9abcca4708d49dc19d3b16cf9fafad4ff001d6efdb0f897a29e87671d36e2adfc991aaf277adc5a25e13e9a88f

Download Submit
\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
1.3MB

MD5
ce46670722253f86958968478afb8832

SHA1
afec4a1e23d3ba6e05bcd693cd25c1aec4c26d4a

SHA256
c75ba50d9e3831d609aa88d1a0ba2bccdc21e153a6ff25522b7bde7099c960fe

SHA512
7e452fd6d16eae45372d490395dc6d1cee65f0bf5a837881618836727d705b30ed2a8125c48d7ac4b93b5a5d886aaf94c993f5816b201d20567b480109e29541

Download Submit
\Users\Admin\Pictures\YCgJetloWOava1mzX57Sc7Be.exe

Filesize
3.7MB

MD5
3977b8bfc450e6c9da6ebc94f0428680

SHA1
9bd6b3b53df430ef90b47e1ba6316aff6668a463

SHA256
4c14e057a7c4f28dc8e81ee4690d76e93e5d47362f216c5b6cd07e4d2722e2cd

SHA512
c1de933e7d75af993242fe22506d63e08dbd5ff9dfb447138fe2714ec2423b788b6964cb72eef5b4eff4e58022176b28b598bf50e6953e1086303e84d648f0b6

Download Submit
\Users\Admin\Pictures\qk8CpgNSlKwYpRVIJguVw9X7.exe

Filesize
3.7MB

MD5
88ccc7c4fd141327bfb043097ba6cc52

SHA1
03ecaefd4cf60fb9e0d76aa652c7e8b1406d131a

SHA256
16b66b7b2835bd54bd057bbba525d6ae4b6295bc68a39301738210b36aeba88b

SHA512
be394b00bd9ab28dda43cde7aeb09bd803f11389c673184a9a09dbc663762d5cfe8daf9e5d934553023f05044c55e77c41ec6de5206fed326fabe590e38f9af2

Download Submit
\Users\Admin\Pictures\td2VJik5yLQdyPDaPUOfCoOS.exe

Filesize
1.4MB

MD5
9e2d5ac58fb4cb09448f0b9ec7c18150

SHA1
a85c5addf4abe652a78f591699eb4d9471ab3d24

SHA256
1639c4b730c3875fe73251f1fe65818617d31568b60cbb01da2aa94f99becd94

SHA512
2ad1793bbe590b3b33758d7293e74a27e14b8909043bc293b71c49ab0458fdb621efdad45d243234bdad854c28baea4e6a3a7139eb2928b607882f72fe4bc5c2

Download Submit
\Windows\rss\csrss.exe

Filesize
2.3MB

MD5
a58b334de01f2353a6b97c2db82dbf2f

SHA1
bac827472d22781d294358cca9f41968cde4e50a

SHA256
37fd98a975c720163c86fa08d3a9b4b17294265610b17cae3e95b357360dafd2

SHA512
0680ca0a74aefda18cda50432d126ac70d5ac9ea02620a7b984ea6502016ada1cf875cb0e2d71ab3f99d8eabfac4c15d7afa315400b4381050e87d0c87c1ebfa

Download Submit
\Windows\rss\csrss.exe

Filesize
2.0MB

MD5
a0a1e630dcdded69a8b06eb7d3577e0c

SHA1
4456b486fda4748e502ac46a2e510cee61b04165

SHA256
a2ad9dee2fd4e99214df30c071032f4e369206d8fb289689cebf208caa775d22

SHA512
ca743fa18c86b5fc1efa82094dbe5aaeb21892a62040780e442297a115a37747b062f9b4a2a4bcdb3c63828bbe8e7c97d9a1036b17071f133cfbd17106a8f734

Download Submit
memory/396-176-0x0000000002870000-0x0000000002C68000-memory.dmp

Filesize
4.0MB

Download
memory/396-185-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/396-187-0x0000000002870000-0x0000000002C68000-memory.dmp

Filesize
4.0MB

Download
memory/396-178-0x0000000002870000-0x0000000002C68000-memory.dmp

Filesize
4.0MB

Download
memory/396-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-266-0x0000000000540000-0x0000000000B28000-memory.dmp

Filesize
5.9MB

Download
memory/828-215-0x0000000000540000-0x0000000000B28000-memory.dmp

Filesize
5.9MB

Download
memory/828-234-0x0000000000760000-0x0000000000D48000-memory.dmp

Filesize
5.9MB

Download
memory/1644-287-0x0000000000B50000-0x0000000001038000-memory.dmp

Filesize
4.9MB

Download
memory/1644-286-0x0000000000B50000-0x0000000001038000-memory.dmp

Filesize
4.9MB

Download
memory/1644-277-0x0000000000B50000-0x0000000001038000-memory.dmp

Filesize
4.9MB

Download
memory/1664-159-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/1664-160-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/1664-161-0x0000000002B50000-0x000000000343B000-memory.dmp

Filesize
8.9MB

Download
memory/1664-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1664-184-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/1664-186-0x0000000002B50000-0x000000000343B000-memory.dmp

Filesize
8.9MB

Download
memory/1664-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-206-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/2236-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-265-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-290-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-205-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2236-288-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-202-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2236-292-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-253-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-249-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2236-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-285-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2384-190-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2384-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2384-193-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2384-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2432-203-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2432-204-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2432-188-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2432-189-0x00000000026E0000-0x0000000002AD8000-memory.dmp

Filesize
4.0MB

Download
memory/2432-191-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2852-7-0x000000013F9B0000-0x000000013FBBB000-memory.dmp

Filesize
2.0MB

Download
memory/2852-0-0x000000013F9B0000-0x000000013FBBB000-memory.dmp

Filesize
2.0MB

Download
memory/3048-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-177-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/3048-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-12-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-13-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/3048-164-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-289-0x00000000080C0000-0x00000000085A8000-memory.dmp

Filesize
4.9MB

Download
memory/3048-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3048-273-0x00000000080C0000-0x00000000085A8000-memory.dmp

Filesize
4.9MB

Download