glupteba | b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89dbbd2f1461d68ee434f6892130a1b1.exe
Size

4.2MB
MD5

89dbbd2f1461d68ee434f6892130a1b1
SHA1

4e145e27f03fc19db5d148587fd58edabc5f05fd
SHA256

b79c2d817b0ced7a0f16ebbb1a91defae311debe95bf3e54b8194003bb9985c5
SHA512

32d909207414d3a2c92d1b856b24261ba5cfa9ac290a1ef32982684b788cc12aef480549a769118a59f6f14c5bcc6d862b61d4d9ab622ee7d16b9549ad865d08
SSDEEP

98304:teW8UzsHIbLf9dWRHWVRhdNR5S1sJRNc/DhpLv/dFcsAkZ5z:q0L1dWRH6Rb9w/n3rVAkT

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 22 IoCs

resource	yara_rule
behavioral1/memory/2924-2-0x0000000003BC0000-0x00000000044AB000-memory.dmp	family_glupteba
behavioral1/memory/2924-3-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2924-4-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2924-6-0x0000000003BC0000-0x00000000044AB000-memory.dmp	family_glupteba
behavioral1/memory/2500-9-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2500-18-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-22-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-103-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-116-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-117-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-121-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-150-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-159-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-162-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-164-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-167-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-168-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-170-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-173-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-175-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-176-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/1876-178-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\89dbbd2f1461d68ee434f6892130a1b1.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2984	bcdedit.exe
2072	bcdedit.exe
1184	bcdedit.exe
1652	bcdedit.exe
1436	bcdedit.exe
2144	bcdedit.exe
1524	bcdedit.exe
696	bcdedit.exe
2872	bcdedit.exe
880	bcdedit.exe
976	bcdedit.exe
1644	bcdedit.exe
2804	bcdedit.exe
2784	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2396	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 6 IoCs

pid	Process
1876	csrss.exe
2188	patch.exe
2608	injector.exe
2936	dsefix.exe
1012	windefender.exe
1656	windefender.exe

Loads dropped DLL 13 IoCs

pid	Process
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
860	Process not Found
2188	patch.exe
2188	patch.exe
2188	patch.exe
2188	patch.exe
2188	patch.exe
1876	csrss.exe
2188	patch.exe
2188	patch.exe
2188	patch.exe
1876	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019383-153.dat	upx
behavioral1/memory/1012-154-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1656-157-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1012-158-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1656-160-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1656-165-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1656-169-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1656-172-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\89dbbd2f1461d68ee434f6892130a1b1.exe = "0"	89dbbd2f1461d68ee434f6892130a1b1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	89dbbd2f1461d68ee434f6892130a1b1.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	89dbbd2f1461d68ee434f6892130a1b1.exe
File created	C:\Windows\rss\csrss.exe	89dbbd2f1461d68ee434f6892130a1b1.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240311072309.cab	makecab.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1548	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2452	schtasks.exe
2668	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	89dbbd2f1461d68ee434f6892130a1b1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2500	89dbbd2f1461d68ee434f6892130a1b1.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
1876	csrss.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
1876	csrss.exe
2608	injector.exe
2608	injector.exe
1876	csrss.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe
2608	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	89dbbd2f1461d68ee434f6892130a1b1.exe
Token: SeImpersonatePrivilege	2924	89dbbd2f1461d68ee434f6892130a1b1.exe
Token: SeSystemEnvironmentPrivilege	1876	csrss.exe
Token: SeSecurityPrivilege	1548	sc.exe
Token: SeSecurityPrivilege	1548	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2496	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	33
PID 2500 wrote to memory of 2496	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	33
PID 2500 wrote to memory of 2496	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	33
PID 2500 wrote to memory of 2496	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	33
PID 2496 wrote to memory of 2396	2496	cmd.exe	35
PID 2496 wrote to memory of 2396	2496	cmd.exe	35
PID 2496 wrote to memory of 2396	2496	cmd.exe	35
PID 2500 wrote to memory of 1876	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	36
PID 2500 wrote to memory of 1876	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	36
PID 2500 wrote to memory of 1876	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	36
PID 2500 wrote to memory of 1876	2500	89dbbd2f1461d68ee434f6892130a1b1.exe	36
PID 1876 wrote to memory of 2608	1876	csrss.exe	43
PID 1876 wrote to memory of 2608	1876	csrss.exe	43
PID 1876 wrote to memory of 2608	1876	csrss.exe	43
PID 1876 wrote to memory of 2608	1876	csrss.exe	43
PID 2188 wrote to memory of 2984	2188	patch.exe	46
PID 2188 wrote to memory of 2984	2188	patch.exe	46
PID 2188 wrote to memory of 2984	2188	patch.exe	46
PID 2188 wrote to memory of 1184	2188	patch.exe	48
PID 2188 wrote to memory of 1184	2188	patch.exe	48
PID 2188 wrote to memory of 1184	2188	patch.exe	48
PID 2188 wrote to memory of 2072	2188	patch.exe	50
PID 2188 wrote to memory of 2072	2188	patch.exe	50
PID 2188 wrote to memory of 2072	2188	patch.exe	50
PID 2188 wrote to memory of 2784	2188	patch.exe	52
PID 2188 wrote to memory of 2784	2188	patch.exe	52
PID 2188 wrote to memory of 2784	2188	patch.exe	52
PID 2188 wrote to memory of 2804	2188	patch.exe	54
PID 2188 wrote to memory of 2804	2188	patch.exe	54
PID 2188 wrote to memory of 2804	2188	patch.exe	54
PID 2188 wrote to memory of 1644	2188	patch.exe	56
PID 2188 wrote to memory of 1644	2188	patch.exe	56
PID 2188 wrote to memory of 1644	2188	patch.exe	56
PID 2188 wrote to memory of 1436	2188	patch.exe	58
PID 2188 wrote to memory of 1436	2188	patch.exe	58
PID 2188 wrote to memory of 1436	2188	patch.exe	58
PID 2188 wrote to memory of 1652	2188	patch.exe	60
PID 2188 wrote to memory of 1652	2188	patch.exe	60
PID 2188 wrote to memory of 1652	2188	patch.exe	60
PID 2188 wrote to memory of 976	2188	patch.exe	62
PID 2188 wrote to memory of 976	2188	patch.exe	62
PID 2188 wrote to memory of 976	2188	patch.exe	62
PID 2188 wrote to memory of 880	2188	patch.exe	64
PID 2188 wrote to memory of 880	2188	patch.exe	64
PID 2188 wrote to memory of 880	2188	patch.exe	64
PID 2188 wrote to memory of 2144	2188	patch.exe	66
PID 2188 wrote to memory of 2144	2188	patch.exe	66
PID 2188 wrote to memory of 2144	2188	patch.exe	66
PID 2188 wrote to memory of 2872	2188	patch.exe	68
PID 2188 wrote to memory of 2872	2188	patch.exe	68
PID 2188 wrote to memory of 2872	2188	patch.exe	68
PID 2188 wrote to memory of 1524	2188	patch.exe	70
PID 2188 wrote to memory of 1524	2188	patch.exe	70
PID 2188 wrote to memory of 1524	2188	patch.exe	70
PID 1876 wrote to memory of 696	1876	csrss.exe	72
PID 1876 wrote to memory of 696	1876	csrss.exe	72
PID 1876 wrote to memory of 696	1876	csrss.exe	72
PID 1876 wrote to memory of 696	1876	csrss.exe	72
PID 1876 wrote to memory of 2936	1876	csrss.exe	74
PID 1876 wrote to memory of 2936	1876	csrss.exe	74
PID 1876 wrote to memory of 2936	1876	csrss.exe	74
PID 1876 wrote to memory of 2936	1876	csrss.exe	74
PID 1012 wrote to memory of 2700	1012	windefender.exe	83
PID 1012 wrote to memory of 2700	1012	windefender.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\89dbbd2f1461d68ee434f6892130a1b1.exe
"C:\Users\Admin\AppData\Local\Temp\89dbbd2f1461d68ee434f6892130a1b1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
- C:\Users\Admin\AppData\Local\Temp\89dbbd2f1461d68ee434f6892130a1b1.exe
  "C:\Users\Admin\AppData\Local\Temp\89dbbd2f1461d68ee434f6892130a1b1.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2396
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2452
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2984
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1184
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2072
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2784
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2804
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1644
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1436
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1652
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:976
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:880
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2144
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2872
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2608
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:696
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:2936
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2668
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2700
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311072309.log C:\Windows\Logs\CBS\CbsPersist_20240311072309.cab
1⤵
- Drops file in Windows directory
PID:2536

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab393B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
576KB

MD5
92ae775acbdae61cb6ea7b91eeb0673b

SHA1
d03effd673cbdcda20b2496ddf0d49a544a64125

SHA256
d8edb9292d9152f65e51cddb124191d2e4540451dc0db4cf89684651f1745b2b

SHA512
7d922595cdc5528f4069283f5c33b5fb284b30ca5c0c219cc20be00057b943118718fab1e77f53b24b3a7a6d5b8a46e16f2f078fd50c9992bfb473d57dd0740f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
248KB

MD5
717969d344a08fb7f643ee17b9b761d1

SHA1
c480435ffaf52dfd3b8a2d32271cd1499248851a

SHA256
59799be121bef6cbfce084db885ad525dd9abdc7c110b78b5d16d21efdd3567d

SHA512
da456182c210b28c5d3d0eed68478c6349c7407d9d8d41c91bd5113fdda3b0150b5f62c318752cb7d4eed749cf48224de633a72b0d8df52d0dc25481aa09f718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3AD8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
111KB

MD5
5887d8a552955eab802fb49f56982aa1

SHA1
4ac61f62db5c321a46f2c30911926244137b1e87

SHA256
f25b2ca917f64790752a64609d183d0068223bc89b0821c90f67edee7d636cf0

SHA512
4bc1349c7167c7f32710cdbec872d84df5ef073cee9adec82f4a18ec78f9f55de558fe47ee4a240433d783dda2741d735014ced1b5d1ae8a1d9b087a1545835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
687KB

MD5
a50649bf89a6dd07a8554886ffc85afe

SHA1
ed7d8f6a200d037faae6a93483713b22f3c703bb

SHA256
5887a879b136f76f3e2ca559dc3070ded87076b32934a01a524471d4aee05075

SHA512
8b6ba54f9a1906908ec1e863c15272b53bc5397087cd696c17074dc0b2dc8d9f02d0fa95d8e27320449c4fac31ea55b16d4a9fb4171536da5c852068a8fc5e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
324KB

MD5
68f40071a0db7e5a685eb496cfd9904d

SHA1
6f975150b16213da54185948ae6d02687a2869ec

SHA256
7d3b4fd2ca2d325c4bda27015534c1bb2649d416fef62823709c1db77b1af43b

SHA512
0c1be980e0782e65aa1e83ca7706ad44f8229c3c489501d3ccbae802b387a1146ee2f4963482670d56c5057c394cb242482314edf8fabfd9cba074e5eaeaf26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
228KB

MD5
dc886802caa2c0c19139b2c802031df5

SHA1
746905e7a68abee0136780372bf9561434f6224e

SHA256
8ba34cdeaddb358448d81fbf933f6ddff5e80d4028b7f0a3eb2f782bcb23ade8

SHA512
003aebf5e9bf0541036d59be115f13036e9b50ad660ad0dd5da2b295c4f83e09d68794071d97a6d5a77a5fdd7b5c4ab63ba7adac779f9b4a2356014a73186e10

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.9MB

MD5
27e571f5a29b38a9131ae33ea1f2fe76

SHA1
7be37195ce4158680d6b95bdbb6940e0b2632d0b

SHA256
2509c08475a3e740fed50cb846bb9e7772208ffd38134dcd01f4ba1258f65f6c

SHA512
0576710711e0f195855fa031e87aa362ce45325ccd4da7640d7694c25c06a3f2095a806a05409265fec15cc8d10266eca4538be76030ab85b21d6ba16028e37a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
1bf4b30a4ea49121509009872d8298f3

SHA1
d72a7274031d66dbe16f2d974e01e469802f7734

SHA256
9d58ed0384465bada189fb674d57e1d00c7aef6c02fe1d3b70960472aef87e59

SHA512
07df8fbef8f2b54ebb9f04edf5246d982b0f20e4234bbd0a4d1aeb075070286efa9c01ed23b0a12187aae07ef7f6ce2c630f4fc7bb3ec40137319735e9530635

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1013KB

MD5
bbf8d7c5c06a4d122505a57391fc305e

SHA1
a3fc0a2ba860429be1b438f0d2184c51c5cca9e4

SHA256
2028c3936a32393baee94980bc05c7ba63c185c313fcf56fafdce1b0df2fc174

SHA512
ea1f03c14e0760d9668fcc95a4770b6bd64fa3cb862be311205f83bbbee40c4962f85a6c791fce66f3e12c52c747d61c300bdb5cbbee8c46ee05ea9bc8b5cebb

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
103KB

MD5
151cbc155a7d9969ae717afdcdb5f985

SHA1
ab7a5770e6c87e33f8a87bb7c53697ffb2af4978

SHA256
235b13bf267fee5d317dabdbfbef07b777c3758c6e7ac5b47fbf9daf7ed794c1

SHA512
beff923edc7591db7cfd948e38fdf0a74b39e8ff8a32c3add45a0e45d8d14ed8b0e7bfad20f881c2bb728db64545f23fc6b5f62c56573dab49dc10e4e1242d7f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
607KB

MD5
0521ccbbaf23205e7cc86905ad4f8e8c

SHA1
624b07065ad764f79bde22e51c64253d6d8ed018

SHA256
138d2ac62fe35ef60307998e2185a79e6b2d3f3dc17469a01e86a64e854f6706

SHA512
90424f16e96dc7adde35f8f03824dd666db3e6809f5eaa6658ad7cf6f40395b40ed18af95e5fefaa3f8728b48b5f27c0b4558173cfb6338ffed2af9243d516a0

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
498KB

MD5
8938bf0da436b8de38ad4d46ed2c94e3

SHA1
6d5ada6fd0e78a470cbf06537423b0c42d166588

SHA256
2d1961126df61fedf423c8e0defedf7f01b8d582321bcb6052fd3b616469ef8b

SHA512
f59472f62a2292eaeedc7893aaec1dd113030d9bb886245b6e30447d36f5690e044a5548130604c461a214c54babbf6e204f8c957804089a5d76cec0225bdc54

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
369KB

MD5
7425fbee1660c8caffa6981134a0f8a4

SHA1
b8c4d0109e17aaf8f531372863a76b6efe7d0503

SHA256
0c297af4f0885c381cb050ffce8c2d06e977137666b35799ae9a4925bdfa47dd

SHA512
ac16972f43def2bf3828089138310d11d17cd252e04a20009101ad4e4fe8490cdf60333d317a16313c2a6c0ddc989f3edfca1c1453c18391571b2614acb49cc5

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
791KB

MD5
c1a812370d6b6c54988104ee10513cef

SHA1
99adeaea8bee7e3e05ce37ea4fdb98adb62ba5ea

SHA256
60780d89667cea59f79b1ea392608630f107b66272e44572de9ac2ee33de1301

SHA512
3e1dde66ad0e850f708cf4834f11ab75be246064fd0e89f8a9728d00ed177c0ee3bb5d28115841bdc6e88187472c270fe0ac17ddfc743711c44fd824864de3ee

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
446KB

MD5
bf1e4fd502585c0517125ccb355cb8cc

SHA1
e902a4a10072174c9ac16fedafe4d3336e6d3e9a

SHA256
4d71c9730b4d4a1f3204041871d7c222059a7c31bf9284a59758ff26f703844c

SHA512
6bcbf3f1826ff096ba19888b8ae1909fb22cfb74974afbe65b45f7ca8b825a65ef34e79107879401cd5ef1d6c2ff83abf4b0fb3edc30d254463b2541ce0e12e9

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
156KB

MD5
e93df6ba226e1f9e41a3e4cf3bbf8d10

SHA1
df9e4771d2bbfc4b6b74408f84a974dbf412c636

SHA256
bfaec2ad8e4d43d7268c3fbb06cd029a5699d1e0e496ff7768b5573979cd39ce

SHA512
3e547dea37bc6c2c3e80915956ea46e79e165134c10089e48250811c7d60d95c93a12f4d6b8037252fdeb7f0aaa392c520ada1bebf391ca0365ec44a41d88420

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
179KB

MD5
cca6baced35d467a404d920a2ad3fedd

SHA1
3d5e00afa809d2e6d43caaddead714771608cc46

SHA256
173a10ab9dac4222edbde516d3cf1d510111345b06379e5ab07a8bf54f704d8c

SHA512
e9f2a65d229a179a77b62c4f72b28b9da781801b857ba6b9c364384fc78fe031016cc563c48a2749de23f5de8f6330e65db00afebd23a7b2aa84f7b869e8fad5

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
192KB

MD5
466293438bb4f9ca12efb533d8e8be94

SHA1
f8621bf145f9df65c4f7681d8bfe7111815ecd12

SHA256
29a9902382263b0a1e4ed01ed14313b1d16e7c434758c248773d4a974fa44086

SHA512
297e1e7a2839bb19ab482be8643f47fd94d63bbd5079bf63319047447f396356d3a4a3b5b0052cbe52c8f9241a04790079b9a1f73202a317294ebd59cd4e018f

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
1.4MB

MD5
6b54d5d424d166ece4fca95ecdd9bd1d

SHA1
1f91af7d7e8b51dd0a6d4ef44790470a993fd163

SHA256
7ec324abe13f7481c4e07ef42e38fd55c4ce55de0a33f07d3558c12da01ef753

SHA512
4d37cd2af5e24f8684bd598ac173a71cb7eac69bc30f5b0cc316ea3040adf65e81f1c38a90ae0b86f06bb076765c2b0da11213d58ae92ba8bf5788e6c64a7138

Download Submit
\Windows\rss\csrss.exe

Filesize
1.6MB

MD5
f9934bd98f2c5addf026e9616209339b

SHA1
c9bf501175e2237f5705670f6cf7a2f26320b980

SHA256
6d3fa3e8bea0fde4064f52258b38696b6949ce0113aa728557bb64af1a774aec

SHA512
6774da26a8152cde72c72dbe28f30d7978c474fd8f08cefdfedac304018c48ac2eafe1f5deee72b2e4fc9322923ce0d91e7a4fad5db95981aeb8e531a821636e

Download Submit
memory/1012-154-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1012-158-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-157-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-172-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-169-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-165-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1656-160-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1876-162-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-168-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-103-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-115-0x0000000003720000-0x0000000003B18000-memory.dmp

Filesize
4.0MB

Download
memory/1876-116-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-117-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-121-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-178-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-176-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-175-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-173-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-170-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-22-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-167-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-150-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-21-0x0000000003720000-0x0000000003B18000-memory.dmp

Filesize
4.0MB

Download
memory/1876-164-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1876-19-0x0000000003720000-0x0000000003B18000-memory.dmp

Filesize
4.0MB

Download
memory/1876-159-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2188-43-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2188-29-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2500-9-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2500-18-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2500-5-0x0000000003660000-0x0000000003A58000-memory.dmp

Filesize
4.0MB

Download
memory/2500-20-0x0000000003660000-0x0000000003A58000-memory.dmp

Filesize
4.0MB

Download
memory/2500-8-0x0000000003660000-0x0000000003A58000-memory.dmp

Filesize
4.0MB

Download
memory/2924-0-0x00000000037C0000-0x0000000003BB8000-memory.dmp

Filesize
4.0MB

Download
memory/2924-1-0x00000000037C0000-0x0000000003BB8000-memory.dmp

Filesize
4.0MB

Download
memory/2924-2-0x0000000003BC0000-0x00000000044AB000-memory.dmp

Filesize
8.9MB

Download
memory/2924-3-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2924-4-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2924-6-0x0000000003BC0000-0x00000000044AB000-memory.dmp

Filesize
8.9MB

Download
memory/2924-7-0x00000000037C0000-0x0000000003BB8000-memory.dmp

Filesize
4.0MB

Download