fabookie | 7307d795569537cef259606c48234c9db61ed7786eefe8151e89d369408308a1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-01-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99cc58b450cf68801e301eaea9927a4.exe
Size

6.3MB
MD5

b99cc58b450cf68801e301eaea9927a4
SHA1

eba28bca7e8920f42717e8b0e52611fc9708fc66
SHA256

7307d795569537cef259606c48234c9db61ed7786eefe8151e89d369408308a1
SHA512

0924f89ca33cf794f8188f8232781c4f9b59be1e9e812e379b1923a9eebcae3fa1a7e7dc3e387c47dda2786eaafb3298ee72a10fa4b8d9e9f6294973cbb5af16
SSDEEP

196608:owCqdWR0aKaljq/ypGt65iRJMWSZUXnFTHxP:Sq4aHadpGs5iRJMvMnJV

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2712-211-0x00000000037C0000-0x00000000038F0000-memory.dmp	family_fabookie
behavioral1/memory/2712-280-0x00000000037C0000-0x00000000038F0000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/2748-194-0x00000000029C0000-0x00000000032AB000-memory.dmp	family_glupteba
behavioral1/memory/2748-195-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2748-206-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2748-207-0x00000000029C0000-0x00000000032AB000-memory.dmp	family_glupteba
behavioral1/memory/2188-266-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2188-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-282-0x0000000002920000-0x000000000320B000-memory.dmp	family_glupteba
behavioral1/memory/2004-283-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-369-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-372-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-375-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-377-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-382-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-384-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-415-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-425-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-427-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2004-430-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2512	bcdedit.exe
2872	bcdedit.exe
1496	bcdedit.exe
1972	bcdedit.exe
868	bcdedit.exe
984	bcdedit.exe
2504	bcdedit.exe
1288	bcdedit.exe
2436	bcdedit.exe
1924	bcdedit.exe
1176	bcdedit.exe
3064	bcdedit.exe
2492	bcdedit.exe
2368	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1496	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 12 IoCs

pid	Process
2724	InstallSetup7.exe
2748	31839b57a4f11171d6abc8bbc4451ee4.exe
2712	rty25.exe
2416	BroomSetup.exe
2000	nso5B4C.tmp
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2004	csrss.exe
2936	patch.exe
2060	injector.exe
800	dsefix.exe
1256	windefender.exe
2184	windefender.exe

Loads dropped DLL 24 IoCs

pid	Process
3016	b99cc58b450cf68801e301eaea9927a4.exe
3016	b99cc58b450cf68801e301eaea9927a4.exe
3016	b99cc58b450cf68801e301eaea9927a4.exe
3016	b99cc58b450cf68801e301eaea9927a4.exe
2724	InstallSetup7.exe
2724	InstallSetup7.exe
2724	InstallSetup7.exe
2724	InstallSetup7.exe
2724	InstallSetup7.exe
2000	nso5B4C.tmp
2000	nso5B4C.tmp
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
856	Process not Found
2936	patch.exe
2936	patch.exe
2936	patch.exe
2936	patch.exe
2936	patch.exe
2004	csrss.exe
2936	patch.exe
2936	patch.exe
2936	patch.exe
2004	csrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019488-419.dat	upx
behavioral1/memory/1256-420-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2184-423-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1256-424-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2184-428-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240116092614.cab	makecab.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nso5B4C.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nso5B4C.tmp

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2868	schtasks.exe
312	schtasks.exe
2352	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2728	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	nso5B4C.tmp
2748	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2188	31839b57a4f11171d6abc8bbc4451ee4.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe
2060	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2748	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeSystemEnvironmentPrivilege	2004	csrss.exe
Token: SeSecurityPrivilege	2272	sc.exe
Token: SeSecurityPrivilege	2272	sc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2416	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2724	3016	b99cc58b450cf68801e301eaea9927a4.exe	28
PID 3016 wrote to memory of 2748	3016	b99cc58b450cf68801e301eaea9927a4.exe	29
PID 3016 wrote to memory of 2748	3016	b99cc58b450cf68801e301eaea9927a4.exe	29
PID 3016 wrote to memory of 2748	3016	b99cc58b450cf68801e301eaea9927a4.exe	29
PID 3016 wrote to memory of 2748	3016	b99cc58b450cf68801e301eaea9927a4.exe	29
PID 3016 wrote to memory of 2712	3016	b99cc58b450cf68801e301eaea9927a4.exe	30
PID 3016 wrote to memory of 2712	3016	b99cc58b450cf68801e301eaea9927a4.exe	30
PID 3016 wrote to memory of 2712	3016	b99cc58b450cf68801e301eaea9927a4.exe	30
PID 3016 wrote to memory of 2712	3016	b99cc58b450cf68801e301eaea9927a4.exe	30
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2416	2724	InstallSetup7.exe	31
PID 2724 wrote to memory of 2000	2724	InstallSetup7.exe	32
PID 2724 wrote to memory of 2000	2724	InstallSetup7.exe	32
PID 2724 wrote to memory of 2000	2724	InstallSetup7.exe	32
PID 2724 wrote to memory of 2000	2724	InstallSetup7.exe	32
PID 2416 wrote to memory of 2488	2416	BroomSetup.exe	35
PID 2416 wrote to memory of 2488	2416	BroomSetup.exe	35
PID 2416 wrote to memory of 2488	2416	BroomSetup.exe	35
PID 2416 wrote to memory of 2488	2416	BroomSetup.exe	35
PID 2488 wrote to memory of 2936	2488	cmd.exe	36
PID 2488 wrote to memory of 2936	2488	cmd.exe	36
PID 2488 wrote to memory of 2936	2488	cmd.exe	36
PID 2488 wrote to memory of 2936	2488	cmd.exe	36
PID 2488 wrote to memory of 2868	2488	cmd.exe	37
PID 2488 wrote to memory of 2868	2488	cmd.exe	37
PID 2488 wrote to memory of 2868	2488	cmd.exe	37
PID 2488 wrote to memory of 2868	2488	cmd.exe	37
PID 2000 wrote to memory of 2716	2000	nso5B4C.tmp	44
PID 2000 wrote to memory of 2716	2000	nso5B4C.tmp	44
PID 2000 wrote to memory of 2716	2000	nso5B4C.tmp	44
PID 2000 wrote to memory of 2716	2000	nso5B4C.tmp	44
PID 2716 wrote to memory of 2728	2716	cmd.exe	45
PID 2716 wrote to memory of 2728	2716	cmd.exe	45
PID 2716 wrote to memory of 2728	2716	cmd.exe	45
PID 2716 wrote to memory of 2728	2716	cmd.exe	45
PID 2188 wrote to memory of 1884	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	48
PID 2188 wrote to memory of 1884	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	48
PID 2188 wrote to memory of 1884	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	48
PID 2188 wrote to memory of 1884	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	48
PID 1884 wrote to memory of 1496	1884	cmd.exe	47
PID 1884 wrote to memory of 1496	1884	cmd.exe	47
PID 1884 wrote to memory of 1496	1884	cmd.exe	47
PID 2188 wrote to memory of 2004	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	49
PID 2188 wrote to memory of 2004	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	49
PID 2188 wrote to memory of 2004	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	49
PID 2188 wrote to memory of 2004	2188	31839b57a4f11171d6abc8bbc4451ee4.exe	49
PID 2004 wrote to memory of 2060	2004	csrss.exe	59
PID 2004 wrote to memory of 2060	2004	csrss.exe	59
PID 2004 wrote to memory of 2060	2004	csrss.exe	59
PID 2004 wrote to memory of 2060	2004	csrss.exe	59
PID 2936 wrote to memory of 2512	2936	patch.exe	61
PID 2936 wrote to memory of 2512	2936	patch.exe	61
PID 2936 wrote to memory of 2512	2936	patch.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b99cc58b450cf68801e301eaea9927a4.exe
"C:\Users\Admin\AppData\Local\Temp\b99cc58b450cf68801e301eaea9927a4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2868
- - C:\Users\Admin\AppData\Local\Temp\nso5B4C.tmp
    C:\Users\Admin\AppData\Local\Temp\nso5B4C.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso5B4C.tmp" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2728
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1884
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:312
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2512
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2872
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1496
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1972
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:868
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:984
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2504
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1288
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2436
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1924
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1176
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3064
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2368
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:800
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2352
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:1256
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
- C:\Users\Admin\AppData\Local\Temp\rty25.exe
  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2712

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240116092614.log C:\Windows\Logs\CBS\CbsPersist_20240116092614.cab
1⤵
- Drops file in Windows directory
PID:1596

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:1496

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
904780517f6fd1908b90b6ce275b9d91

SHA1
6386fe722a6dbe66f1e2ee72cc537ca7dcd07d2b

SHA256
3f9af3c9e735f961238cae9c675b973e5a94e9e805b8e85ee9a739810f7de5f2

SHA512
3dc31615bdde69ecfb718bd884690960959f58fb31e555d8e5a01d95db7893e38673c0c7086bb4b8f18f96f687b4f0c1830ffa59302b2f5ba45571cbc279cbee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a4b1d9e8ddc1893a8952414e7b86e225

SHA1
17b58e3b4ac46879350a17b7c6b4cd31f261c434

SHA256
b8c7d1b3325e4bc2a825ead680a418674ed45d19af84efa9c3013e0ae34d639e

SHA512
f4b1c550e657313b8c8e4e368ed844d9b705bc894444e3216cc07100bc8461ee9d92b161b6113f78bf0c3f9e3e8a0a758cb8fd7f9cc557d87d9b8c7cd0d78e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
253KB

MD5
ee9a97807fdc8e830f49733ee98ccf86

SHA1
bdcbe9c4edef5177c1972120a45ea6d0b2f222da

SHA256
9db5e14116e88ea3500f5dbed812b2c76feb512331f08b4bdf46ae17f06f0a07

SHA512
2b11ba7d131f3c735b8c2778cfeaaf3873688340ee296fe9b395ffc5856710d24e7799b791feae4cfdcbce9a21446d6278e299f26ccd995f72b783bb1763681e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
128KB

MD5
e29d674b1ae7a690af49f2a62806854e

SHA1
9b4feab048e9e082b0776e134702484fa395e4a8

SHA256
e28dcfe2dede0d1e888e88a3c9b5bdefc26e3a6bd1b59fa2a787e2751259acac

SHA512
cf06c992e632ebc3e06cfbda7eecf51cdf94e1eb0bf7ec2cc42b48d8c60cc9c249c5643a1be4276f77601dbb24ee43c6bdceedad0e9489a0c159c3e3ba44da27

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
4d95c5aeb3401c376a5de24d3eae1347

SHA1
ff86551573ad69893abc45b73acd30d9f128d57d

SHA256
f3343fee8ef3fe59954b41f929c3fd5a4419af541e592271eb4c627ca3618286

SHA512
008b6d3f4e9bdf604638588c5f1cf485d88af029dd2503874167749446de53f26851af86c908b1ea319101adff1c3ae6048ea7748c932d3ae091fd4eb6dca041

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
1.7MB

MD5
9845f648467bd68ebf59dfa4156e5961

SHA1
d2d59c6356671c89445d1c03d5a387ceeb2070f0

SHA256
9d275d281c8bdb0259c8d80ad520bada88735b4eefa9eac2f1da59cd645db15b

SHA512
3188b0c88d7d8873cbaf9fd70bcdb1842150ab9f9dbc44d24bf6cedb51cee33aef81f9c49cd367925007e27a949cce37279c9277eca00b3efb17fce22fb1f9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
197KB

MD5
1b354516ec634b77a3bc206f69390105

SHA1
98c1011e9e50e470e4dda6b70c389557acfa27db

SHA256
b8aa899150b7879225d81ad5d03609be04aed17c104f2d82b27fdc6f387bf20f

SHA512
f52963b338cf4c3265a31be0fd1a5880e366775c86ed41749d05cc556726d5c3861604a2ccf12bd8a00d413b43d67d69b924fe82d965dbb02d9a978eef928760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab69BD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
126KB

MD5
3d14ebd85b31867fa973ddffbddcbfef

SHA1
ada6fd8ac495fec4e962a979a3b44e04e14117b8

SHA256
b35c2fd0e6ab87c395f2fe2f71ddaff7d797ec99a8ae07415212203c2c01eabb

SHA512
16ed277fa4285fbd0c7e27804545aeacac6cfe00553c931272d6a07e14f9a73b09e650575abe826a81ea3d13b53523372f242a4f280865b023ada8d4a601b9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
1.4MB

MD5
4518bfe2bb096b9abdb3ed35094c1624

SHA1
2db7e752b0eedce0653af69c3142653c6a739f71

SHA256
22a83c17f8fda0f4133fdcd26357ee01992cf79f3dc01e7c0fccbde56e944ee5

SHA512
a5d927379a98007282b898d8aaf3778858e47362dee56dca9841fe36ae03a7e8aa8a7d0c6f8e7b9ff48cd29e03c5dd7e6f17bef9e763951bdaf9ac6c43aea5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AC9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
136KB

MD5
b1574073149ec6427f5d213e44ce0e89

SHA1
c5e46f5a4c35dd77c6806685c39be59b4e1b384b

SHA256
a20c339cd5794a98c1a946fb1c02c5735f411b7fbc1f79dda5b3bd1d44cdaa18

SHA512
296544e82bdd8e7617ded5c41ce3f2d3c26308910f2d4083e9f4bba84fd0e4769ac9e2d3fb1d6d6a08f59d5100648301b487e6256c2f103db799486100faf8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5B4C.tmp

Filesize
232KB

MD5
46f4253b03bb4662c8765ba4e708ed63

SHA1
23813b421eccbc0ff3aa10084b45f265f8aa138e

SHA256
a3848150ae9ee3d63fec9c296e76e5294fb84c276a7f775134dc74952937b639

SHA512
48645f175942a71e5840e76447b6e4ab4ef5e54d723dd22b557b621bb04711402f778903265d79bcc9aa5e65cc8a1ad7cc32581204f9021ab917755a99649580

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5B4C.tmp

Filesize
229KB

MD5
2d8f79a8f66c7ecec3ed25bcadd84a7f

SHA1
11ac2a4b49b0605fe333f5993d7a4031ac54c864

SHA256
d335bbd2caa84b7ca3c6474196120098bbd7786adb3b88f53a958156d589a414

SHA512
9f05f68088ed5aaf62e5b1a8d0903e534e366fac9fe7b4b2a27ed50668bc7e8e8fde999ea9041fd6bdc299fbc91acc2fd96b48f81a4c0d0251c44702f9462e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
569KB

MD5
983367ef95bedb6e80a4b8fe2bd8c8b0

SHA1
5510e0f4414fc558518bf1d5e75bb52dcbb6efd8

SHA256
0cbe71fe3a8597d7400c3c8e982877b54711add0a3ad2914fe80ab5438ff29b4

SHA512
ef34b9eea45f34873eb6666d18f1f1228dd87d5ce8a4258a22b5d171bdafcb2572e497b87a16e02d7a160f9ed70a8e02a9a07739463ae6fe174e5356459e8f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
190KB

MD5
1ab726f56baf87cc7547e9379d283371

SHA1
e7d9c6407e6c8707d861998980e1de12ced86801

SHA256
7ef8642411302ab00a1294b8614aebfd7806b0de0f2dec113cc2b896bd781b88

SHA512
9d1d98839a20e2accd9d4c22b016a7f6ce3919160deba40b8a951d08061bfee09a3549158f451aa20590f41d9877238b68ac70e2e8c23c5c27986be0ab69386c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
748KB

MD5
cd0ebc5a4e041a22a76fd6365f99319e

SHA1
1f831c08b01840d962b1f653e9cf0cf6ff20f287

SHA256
18db727d6980b4d80fe9cbf131ace51cd0551f697733ee022cd24eb8d17271b9

SHA512
8dbffe9c46588934d2b49d11a7e4ec4e56b1046c92b29212992b6b660a98d90be7c6819bd779ce52f4e835e73afeaf8bedd6886768f3269beb833a79fb23cff1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
777KB

MD5
424a33c902ef50866ba88ba1c84c8640

SHA1
94efb5789dfc8426b97f7e135646a39b0f1152f4

SHA256
f05390bf3ea68b09e7a45e47476e3dc9a185ab0263230f8365129481051de4ea

SHA512
03842c14c2b54b8a92d4546c37b349e82a2159082546917128d4254b0aa356e27409c0225f7b8192b1693ab3611d5a70c7f5289733bb4a7be735d4cb150e6654

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\mozglue.dll

Filesize
420KB

MD5
098338c2545e41febd1e95a64dc2c3d9

SHA1
966dae44a1fb7e0a004a11e8d9a91d4fa60ad7c3

SHA256
dab94ab524eaaab71bc9a666d620216b88bf3e575a75657ec97ed34e6b613ce1

SHA512
c1f39cb47e6ebe8accf09f03a9fe3c3785445e78588cdaf23c90ecbd23e2f60bf0d08cbcc29cf1f16274f1f20d99c69ed298fe38070194fe887d536334a4305d

Download Submit
\ProgramData\nss3.dll

Filesize
358KB

MD5
98aa5aff154d8b7d4b4db497830850ab

SHA1
3c10738d97ee45cc236bed1682c94cf3f539981c

SHA256
6b015541df9b38cc2bedfaa91e0c93c4f9d77c6dc538494187637381f27c2164

SHA512
cab6e992f5bc3b8cab7b156eb8082051635cd37bdf7efd453d9542014c8d4818b702c4266c028a07aaad7851f8b86420357814f4f360a5f368a9e312cdb57953

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
839KB

MD5
58b8c6a6b9431bfaafc4547492289848

SHA1
6542d543d5e240ba957e904285a13ce4dc101ac9

SHA256
a9779129e24f96dc3b0e10e28f23bdbb19bb144ea781c39b5f6c6b871220f0e8

SHA512
596d016c0a8897abb1db7d0b64dce2c0782028b3d811da5f9176be5a64960145691212bfc82345273fc40f827bfcd8d88ab68f5e7746917794924406c69889c5

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
592KB

MD5
8895b2e7a6ec2b28006e5e4cc6007c4f

SHA1
c8f23f163d0d7704ad0a28b21aef9e0cb8b2feff

SHA256
643e3c0e2b9ff86e57855030089519bec41daec13deea4b9ae0f0af8baa3ac58

SHA512
6cdeb93109cd7d7dbd9f51292ae1ef7bf766f0835eb8980fba43f4905544d69d70662dbb64a93141482f70729028eb162a496853ff8e8d3244e0633cbb7248a1

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
250KB

MD5
676838031a7b6ec2ef35619e29e3771d

SHA1
d3c7c964b793fd8d4846c53449c104d84c638816

SHA256
e031b4ac08f129be05739a2b935bde8028428bcac2b544f302b7ec4cd57f1104

SHA512
3f6a0b4228fb70312963580bba2606b16d2681a7d437899c59c6920b1d66467b24b6a57862094c1101f4ccf64f0478466ef94de83c565e32cf1264fd2018705e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Filesize
1.2MB

MD5
01ad054ff132c32bbde4a8f76afb007f

SHA1
0cded1f323c9aebd5fec184028d0691c623c2fe4

SHA256
26d379cef428ef51151d0980b9ada3eb6763d5bc144c1d6661c46b47d6b15ed2

SHA512
d86dda3d78f8a10f7c34703b879d824116cad1ffc9dd75f32f2de347013b55d2621fda47a292792db93aa41c13f6dd85545ca37b609b8097e79b16daeaafe777

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
149KB

MD5
50a167d32e8b7785130c0bd7fa4fb8ed

SHA1
f5be3fad201301ef649a08fe80e7512aa0858c3b

SHA256
6a2bef4e63aea3f6d8c74e2cd7b8b7dcb9331aec32382398c98e628954062f85

SHA512
a99c69764b82fabf9a4f88850ee481f550cd2235d6db46935acd9ba4433d35d5191a35cc0d968fc83ac91a1ee7257f3e4701bcda364cacfae213b0e8393c60bc

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
928KB

MD5
c5b4dd361fe90f085232c11c8651b84f

SHA1
42919913775584dbd67ffd58ceace0dbbd9a8c9b

SHA256
bafa2a2faf95d336c5e93c5b1c48f9ebcb2d325d72d7e7572f56659e4f42ec68

SHA512
1c58aa0dfb06ba975fefe8dc64e7ca9e0ab7ff2f5abfbb7f2c7cbb875829f44caf214bb647278ba47d349286e52ce1444353437dc73e3bf562dc345e2b091889

Download Submit
\Users\Admin\AppData\Local\Temp\nso5B4C.tmp

Filesize
223KB

MD5
489bebb4f9c2221b3eb7ab8ce66b05ec

SHA1
4787d545c02d9c1d8da2e1e58a8c40dfe3a1d546

SHA256
d6760e06898ab75fbcf50d21db4a6e21430b368fecad817187c93fb2c0280872

SHA512
d7a9e9a3591e1c086d5943d0cd8b4fb1eb5e74f397ada5ed8172992d98ede6b15ac0cbff700ee6a130df7a5c2ff66780f11b06d8ad248d888d5472a29c7a2bf0

Download Submit
\Users\Admin\AppData\Local\Temp\nst5726.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
625KB

MD5
8d67cdff52832819f8926b2f3eddf18e

SHA1
8d66343ceb3ac42f6d05abb5bfb958f4cf46ddfb

SHA256
5bf43cac9fff4deb472f88512ad6fcbb02e994cc4502b10b1a80d0871d3b6422

SHA512
962a16cfed6d831fb0f94a8e9d8f3e4437c82b5d8d40181ee7db737b3eb2cc3d41397886ed0d5adc5b35be7355a5b7203aebafcc45ee1b54381c01f39f812066

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
759KB

MD5
3371533127e21e95718aa4068166c2ea

SHA1
42325e953df0b37f90040dcd21c14777897aad60

SHA256
cae7494b196549bd6c98f6094339f60481116b44acaa417eecc9e8324135e39f

SHA512
aec6d032e893988d0effb0e1ca7094d5a0e7a7fab87db0c50784faa4d3a5b13162e4a4d7e2a571bb7ff258292490038b09ca4374f05720f1f66e32b29ec2feea

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
543KB

MD5
1b187b01fae8ab32323b7f8ccf157347

SHA1
3a38f9dbe7b6812abc2a7e0ec4867506438d291a

SHA256
c723d8297fbe718f56b30913c74b8dc3995be3cbabcccaa2b4ad9217a7334ec5

SHA512
330f3f75aa2456810f0759b735e3433fcadd381ca06da44e00242fc190840d7478adb73513f97d5714b3a12d2424b9f89150a22b7e80d26cc1f2b18f70b5e2a1

Download Submit
\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
260KB

MD5
2c35483cb326802ad30c27d619af9e19

SHA1
b1376bc7bc51461fa00a621c50a0f2973d39399d

SHA256
9d9ba3229de19966b32c14e23ee8a9edcc923a8aab5e929232826956d49de74e

SHA512
22edc98d5040d682c8edcd93b5943d5824c36d9ee41991878292da54474d412814945317688c9a0ea0573ffc9551785ae0df626927ed3f769071f141dfec738b

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
1.1MB

MD5
dd2e2c157fd2b845800bbcdb9f0aa229

SHA1
6ba841feca918aa44f19570e9b2a582de52599c3

SHA256
217525171221df5c457add0beee9700fb26815d306cceac2aecb2df8d96799c0

SHA512
4e985595f78974e23bcdf031bc5e1b0947d38434da4df9b137899c1c4c3858a9789d233b1a2d1b44c4b12c1788b9f841c1bec85b8c72e3644442e13cc854f0c5

Download Submit
\Windows\rss\csrss.exe

Filesize
1.1MB

MD5
81d4f345851f32d556ff74e51b2b17c1

SHA1
b6d6c9db1fd38fb26c47f8e2a24948f05a27dc02

SHA256
6a41090f384b49ba868d68ed5d388c61b1bcd7db60d4261bfa124509abef61d6

SHA512
80513d50b97520ac4590c7555c7b5f03eb2edd83751794fa27f75586e2e8d70e427302c22ee773924ebdac366af6f69a3334c6bd0053ec31148361403fe45ae3

Download Submit
memory/1256-420-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1256-424-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2000-249-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2000-255-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2000-263-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/2000-254-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2000-248-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/2000-261-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2000-160-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2000-52-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/2000-53-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2000-54-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2000-200-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2004-377-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-375-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-281-0x0000000002520000-0x0000000002918000-memory.dmp

Filesize
4.0MB

Download
memory/2004-282-0x0000000002920000-0x000000000320B000-memory.dmp

Filesize
8.9MB

Download
memory/2004-283-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-384-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-275-0x0000000002520000-0x0000000002918000-memory.dmp

Filesize
4.0MB

Download
memory/2004-425-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-372-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-371-0x0000000002520000-0x0000000002918000-memory.dmp

Filesize
4.0MB

Download
memory/2004-369-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-430-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-415-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-382-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2004-427-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2184-428-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2184-423-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2188-205-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2188-262-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2188-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2188-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2188-277-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2416-36-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2416-189-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2416-231-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2712-35-0x00000000FFC90000-0x00000000FFCF4000-memory.dmp

Filesize
400KB

Download
memory/2712-280-0x00000000037C0000-0x00000000038F0000-memory.dmp

Filesize
1.2MB

Download
memory/2712-211-0x00000000037C0000-0x00000000038F0000-memory.dmp

Filesize
1.2MB

Download
memory/2712-210-0x0000000002640000-0x000000000274C000-memory.dmp

Filesize
1.0MB

Download
memory/2748-194-0x00000000029C0000-0x00000000032AB000-memory.dmp

Filesize
8.9MB

Download
memory/2748-18-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/2748-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2748-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2748-207-0x00000000029C0000-0x00000000032AB000-memory.dmp

Filesize
8.9MB

Download
memory/2748-190-0x00000000025C0000-0x00000000029B8000-memory.dmp

Filesize
4.0MB

Download
memory/2936-308-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2936-302-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3016-1-0x0000000000120000-0x000000000077A000-memory.dmp

Filesize
6.4MB

Download
memory/3016-0-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/3016-25-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download