glupteba | 5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c2c0a3850e702555c86672dfccf87e.exe
Size

4.2MB
MD5

90c2c0a3850e702555c86672dfccf87e
SHA1

547237f6c49839d5b52c21541e3ef97e70c09e14
SHA256

5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
SHA512

bef33bcfe5c99260d7e3d4a1f874606b166a8ee6307780140ce3350df0e1c7804695596fdcd252a9ce5445439afc2bb6a8b33d99bf175fb722f89213197367f9
SSDEEP

98304:teW8UzsHIbLf9dWRHWVRhdNR5S1sJRNc/DhpLv/dFcsAkZ5X:q0L1dWRH6Rb9w/n3rVAk3

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2924-2-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2924-3-0x0000000003A20000-0x000000000430B000-memory.dmp	family_glupteba
behavioral1/memory/2924-5-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2536-7-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2536-17-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-20-0x0000000003950000-0x000000000423B000-memory.dmp	family_glupteba
behavioral1/memory/2728-21-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-113-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-114-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-115-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-119-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-120-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-150-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-159-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-160-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-162-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-165-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-167-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-168-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-170-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-173-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral1/memory/2728-175-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

90c2c0a3850e702555c86672dfccf87e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\90c2c0a3850e702555c86672dfccf87e.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1756	bcdedit.exe
2260	bcdedit.exe
1676	bcdedit.exe
2216	bcdedit.exe
1504	bcdedit.exe
2328	bcdedit.exe
2220	bcdedit.exe
1708	bcdedit.exe
328	bcdedit.exe
1932	bcdedit.exe
2688	bcdedit.exe
2932	bcdedit.exe
3052	bcdedit.exe
2596	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3064 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Executes dropped EXE 6 IoCs

Processes:

csrss.exepatch.exeinjector.exedsefix.exewindefender.exewindefender.exe

pid process

2728 csrss.exe
3028 patch.exe
2612 injector.exe
2748 dsefix.exe
1728 windefender.exe
2820 windefender.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
3064	netsh.exe

pid	process
2728	csrss.exe
3028	patch.exe
2612	injector.exe
2748	dsefix.exe
1728	windefender.exe
2820	windefender.exe

Loads dropped DLL 13 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.exepatch.execsrss.exe

pid	process
2536	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
860
3028	patch.exe
3028	patch.exe
3028	patch.exe
3028	patch.exe
3028	patch.exe
2728	csrss.exe
3028	patch.exe
3028	patch.exe
3028	patch.exe
2728	csrss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/1728-154-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1728-157-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2820-158-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2820-161-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2820-164-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

90c2c0a3850e702555c86672dfccf87e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\90c2c0a3850e702555c86672dfccf87e.exe = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	90c2c0a3850e702555c86672dfccf87e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exe90c2c0a3850e702555c86672dfccf87e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	90c2c0a3850e702555c86672dfccf87e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

90c2c0a3850e702555c86672dfccf87e.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 90c2c0a3850e702555c86672dfccf87e.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	90c2c0a3850e702555c86672dfccf87e.exe

Drops file in Windows directory 5 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	90c2c0a3850e702555c86672dfccf87e.exe
File created	C:\Windows\rss\csrss.exe	90c2c0a3850e702555c86672dfccf87e.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240311072310.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2836 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2824 schtasks.exe
2940 schtasks.exe

pid	process
2836	sc.exe

pid	process
2824	schtasks.exe
2940	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.exewindefender.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.exe90c2c0a3850e702555c86672dfccf87e.exeinjector.execsrss.exe

pid	process
2924	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
2536	90c2c0a3850e702555c86672dfccf87e.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2728	csrss.exe
2612	injector.exe
2612	injector.exe
2612	injector.exe
2728	csrss.exe
2612	injector.exe
2728	csrss.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

480

pid	process
480

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2924	90c2c0a3850e702555c86672dfccf87e.exe
Token: SeImpersonatePrivilege	2924	90c2c0a3850e702555c86672dfccf87e.exe
Token: SeSystemEnvironmentPrivilege	2728	csrss.exe
Token: SeSecurityPrivilege	2836	sc.exe
Token: SeSecurityPrivilege	2836	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.execmd.execsrss.exepatch.exewindefender.exe

description	pid	process	target process
PID 2536 wrote to memory of 2712	2536	90c2c0a3850e702555c86672dfccf87e.exe	cmd.exe
PID 2536 wrote to memory of 2712	2536	90c2c0a3850e702555c86672dfccf87e.exe	cmd.exe
PID 2536 wrote to memory of 2712	2536	90c2c0a3850e702555c86672dfccf87e.exe	cmd.exe
PID 2536 wrote to memory of 2712	2536	90c2c0a3850e702555c86672dfccf87e.exe	cmd.exe
PID 2712 wrote to memory of 3064	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 3064	2712	cmd.exe	netsh.exe
PID 2712 wrote to memory of 3064	2712	cmd.exe	netsh.exe
PID 2536 wrote to memory of 2728	2536	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 2536 wrote to memory of 2728	2536	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 2536 wrote to memory of 2728	2536	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 2536 wrote to memory of 2728	2536	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 2728 wrote to memory of 2612	2728	csrss.exe	injector.exe
PID 2728 wrote to memory of 2612	2728	csrss.exe	injector.exe
PID 2728 wrote to memory of 2612	2728	csrss.exe	injector.exe
PID 2728 wrote to memory of 2612	2728	csrss.exe	injector.exe
PID 3028 wrote to memory of 1756	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1756	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1756	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2260	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2260	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2260	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1676	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1676	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1676	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2216	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2216	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2216	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1504	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1504	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1504	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2220	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2220	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2220	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1708	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1708	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1708	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 328	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 1932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2688	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2688	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2688	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 2932	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 3052	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 3052	3028	patch.exe	bcdedit.exe
PID 3028 wrote to memory of 3052	3028	patch.exe	bcdedit.exe
PID 2728 wrote to memory of 2596	2728	csrss.exe	bcdedit.exe
PID 2728 wrote to memory of 2596	2728	csrss.exe	bcdedit.exe
PID 2728 wrote to memory of 2596	2728	csrss.exe	bcdedit.exe
PID 2728 wrote to memory of 2596	2728	csrss.exe	bcdedit.exe
PID 2728 wrote to memory of 2748	2728	csrss.exe	dsefix.exe
PID 2728 wrote to memory of 2748	2728	csrss.exe	dsefix.exe
PID 2728 wrote to memory of 2748	2728	csrss.exe	dsefix.exe
PID 2728 wrote to memory of 2748	2728	csrss.exe	dsefix.exe
PID 1728 wrote to memory of 1724	1728	windefender.exe	cmd.exe
PID 1728 wrote to memory of 1724	1728	windefender.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
"C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
"C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
2⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3064

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:1756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:2260

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1676

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:2216

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:1504

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:2328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2220

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:1708

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:1932

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:2688

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2932

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:3052

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2612

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:2596

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Executes dropped EXE
PID:2748

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:1724

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311072310.log C:\Windows\Logs\CBS\CbsPersist_20240311072310.cab
1⤵
- Drops file in Windows directory
PID:2632

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2915.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
3.6MB

MD5
d918e5e61a1729210259e4e89e2513f4

SHA1
5ae3ecd3881892bf592c91660dbb8228009a5077

SHA256
29cc54ba1220057bb8a62c624ab6bf550d55906c19b52fc1e9cae0d34243609d

SHA512
d6d810a744953f70c6a79376997335ed19db9a5c5c3507e609720ab4f53e9f0fc77de428cdabb6308832af23ec1b45057108de450512aaf25382ff54c91d986c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A93.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
146KB

MD5
900c4a060967967a89a752c665ed6c5c

SHA1
dde1a88eaae23176d3523e11af3d08fa250ec06a

SHA256
da001498605292ed56a73735347ea336aeb9b8af49689dae1da348715dd0d155

SHA512
88b3249e9cc71c88afd644fc5f6bbddbc5263584cae05056a68a1f53b7a115c4db5072bb5b1239dccf61ea60637ba081d1603897315d1871009fefeb40cd5cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
643KB

MD5
fc3ba48d236736975e7aed91254de1a2

SHA1
cba9d51d288032e06642aeebf13bd05b9593e2db

SHA256
863732313aa53a242959b5b5a9d3f7c6f447394634becce6fb13e27d7983544b

SHA512
ea4ea29b151988f2ebb95c0e88e53519cb7789c35a7ead0dfc1134e97e5b95479058022194523ef625866109156c99468f357ac0691212c7a8d9bd637f3d5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
307KB

MD5
20ebcd9bf0a7cea360fa368d059f1c0c

SHA1
bd8f77b603528da8ca7e4fdb92dcec783bec2eb9

SHA256
d6a9528f6d7a43c6b19126632a3dcb1c668664e849bbb29b151286044de8f8a8

SHA512
e90fbccb5207f6bf5be196f8c6ee9807de03b685a85b5f77655b90d08526048e86f137f823e21e274e87ab0adfda32c148ac8036dfad5b59bde22ba7322d5d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe
Filesize
425KB

MD5
c85a3b07092a749fe8264ef35966251b

SHA1
e5519ccb5f0a64960ee26e839ddaf1d2f39efd60

SHA256
aac3cd0eb3335a44b5d75bbdb0670e53beaed28d31385ed8fadf465650b45496

SHA512
1eaaaeafb013bf070377b01bc0da217b5b34e84d0dddf6b667dea7172ab0051ef5b677ce6cf4e79455e3299bc1a9a7fceb0fed428586955a39f320411b7172c6

Download Submit
C:\Windows\rss\csrss.exe
Filesize
318KB

MD5
430a728f2dcb0e5424433116a9f5cdcf

SHA1
449733d1b5412da48751c655f9c4726441168b1c

SHA256
61eef723569224a60162c681987e4bdbe313656cab7b138334c87efd73fddd48

SHA512
87baf9e352c22090ab452975f4080975f5ee86c9c689c8cb72154d12d9604958e49ea224434e8bc32995b80155b14bc01c9ecc83e0aa901e3fe4574dca73ecd0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
702KB

MD5
96dcee60c1c96e4e47eff6dd3ebbf7b9

SHA1
e1873c0b4b8f604954f6b084fe6d938ae9c30e19

SHA256
c83ab7b2fdace8ec0e7234ba5d599619bc7000ea61ce155961c3c6b241659e2f

SHA512
ad534659ff64f3f6e25841a264a0eec3d1954e62176a56d104338708b07054622d5afba185c4812e205974f85429fc3276572e6acc6753e26ebba1d2b4d37653

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
167KB

MD5
25ff14351318bd73c1ef455d77be1450

SHA1
8e4005cc18c1e2e6c690f65f517c839496da5da9

SHA256
8dec9fbdfe388e0593c8d6c4dc2453014bfc188065a044d4b04e55694ed48ddf

SHA512
919221b6f8c3c7aa3ccc5fc3ad8e309c217940a796cceaa45703d116422e590a5f200a2a07c20b825bf714df0819452b5603c775a5f4a5140d63034ca328f231

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
432KB

MD5
06a502ce0fab8c895d862696958df3b5

SHA1
4aeadef273d500dc44db6a7fbf863d1ed046fad7

SHA256
d7c3ac8855566142ac1ed6d45844783c90968b8f2274ee2d2bd2ac266576e3e1

SHA512
42037350d777e2be250b1cc061a67d1c0ae4a4f8e9c53494815ce92f799567929a34dbcedb8b66af4a6f1f94c564ee9c1d32b5b234c63ccaf675ff63f3ada0ca

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
391KB

MD5
d7a826d41b271b264972dadcc9cfac07

SHA1
631599f226a654bf667e6b13ab1f43dab5ca0b6a

SHA256
4c3c9fe9bc2909b3a1a1de038010b6402b1dd22568a4c5cf6f7aad1de9d8f57d

SHA512
ad8b3e965a0cfa522378a5c7e3352affbfba92c9c004c8ef7bb7b6d86e54401535e610d9bf855184ce9d732ebfd842867aff79d09854a98a45af868004556729

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
557KB

MD5
25e6c971355e777ae66a269f338f9566

SHA1
9875525c727ac3f52bdd4b90f57b5f889c7bfa33

SHA256
06c4beb300445814eefccde1c3f28260867f8a279ae28355fdcad810ecd504b7

SHA512
77bef944fecffce2a946eb42b9887f1937bd7e9d8bf25714bd2ef7e856409dad5e8b6c4589920ee845ca54b848008c2478be85fdd8d13c22da8d8a72df177ee0

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
541KB

MD5
45652288ee69ae1483e3b975c5cbb042

SHA1
1b9a7c3dcc06cf959c5f8d33f81266599668ccb0

SHA256
8eb1bf0db26a9a62af5400696aea0cb2619edcec83e68b045db4c0805f3b7209

SHA512
7d38edd6435737ad32b0429428ed9a9ab07b95225c90cbb4509151c221dc874652760910700ffeacb437f136f3085bcc1d4718a943b7b0d0a6410ad45922cedd

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
378KB

MD5
11dd67076ea612d4384f884595d10ce7

SHA1
135266d700b6388d446397ddf3befe80a2f1dee6

SHA256
1f6efe147904ccc478d10476f11b6aabb3203fe7731db8607e60e7d66f9dd1e2

SHA512
e1f7c993a97ddce7f699c15096f90df820bb9a10861d2e19dddecefd943674e0aacfe62417caebfcff36cc48899e68cff3a0573fba560db6a3984029dce0f151

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
310KB

MD5
10b0febd5e15c4c67499d9a3dcf9d5bd

SHA1
49685ff279e7f92cd75862e14f9f5bc65a874c7e

SHA256
73feb0c23196f16128cac3f4f9e77ec6c3fec33e69d7893618181a7375c5e69c

SHA512
01104d9f755256759693271acb033b4dc6d20e53018661c5d00491b7c17b8090ac572c250acdb3e8edb5b11cec4b4af1568025ad1adbc6d896b608091b10bcee

Download Submit
\Windows\rss\csrss.exe
Filesize
201KB

MD5
1388d9d9629a09302c4b87e336dda1e2

SHA1
13f2caf1edd5b8b2d5f98db4e6f039e8c1ce3f86

SHA256
a8d5c4b897d85be05d66c865a8113062c7d392100ca986ca11b33b815971a4d3

SHA512
1788fcc11ff2486a47f466fa350f4c9f4ef0a4b986b5228fbfcdf6fe107c0ddedb1697c7f92b3db5939fa839e61d91f91a85b3895838142d61f82d4922bbeff6

Download Submit
memory/1728-154-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1728-157-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2536-17-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2536-4-0x00000000036C0000-0x0000000003AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2536-6-0x00000000036C0000-0x0000000003AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2536-7-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-115-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-162-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-18-0x0000000003550000-0x0000000003948000-memory.dmp

Filesize
4.0MB

Download
memory/2728-175-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-173-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-113-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-114-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-170-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-119-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-120-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-21-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-168-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-167-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-165-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-150-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-160-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2728-20-0x0000000003950000-0x000000000423B000-memory.dmp

Filesize
8.9MB

Download
memory/2728-19-0x0000000003550000-0x0000000003948000-memory.dmp

Filesize
4.0MB

Download
memory/2728-159-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2820-158-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2820-161-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2820-164-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2924-1-0x0000000003620000-0x0000000003A18000-memory.dmp

Filesize
4.0MB

Download
memory/2924-8-0x0000000003620000-0x0000000003A18000-memory.dmp

Filesize
4.0MB

Download
memory/2924-0-0x0000000003620000-0x0000000003A18000-memory.dmp

Filesize
4.0MB

Download
memory/2924-2-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2924-3-0x0000000003A20000-0x000000000430B000-memory.dmp

Filesize
8.9MB

Download
memory/2924-5-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/3028-28-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3028-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download