glupteba | f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 00:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Size

4.1MB
MD5

72c5c455824eb7c3791ed917541e22cf
SHA1

c4168eb84e3e48650bc6742256d290a81c98d9b9
SHA256

f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb
SHA512

d0015dea74a704fb2c5268e4d8a7cfb57d57e24c5dbb6f57480b06827bc1ce1efa419e57b811562b028e2614521763d18993ce415092b4139d2960fc07c93c8c
SSDEEP

98304:XfoZjwaqLS9kJMOnAKemjlsux99jgxBERa1fbjFmM+dfPY:XQjwJpM4AK9sunxgxag1fbvB

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 22 IoCs

resource	yara_rule
behavioral1/memory/1952-2-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1952-6-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe

Detects Windows executables referencing non-Windows User-Agents 20 IoCs

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables Discord URL observed in first stage droppers 20 IoCs

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 20 IoCs

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 20 IoCs

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 20 IoCs

resource	yara_rule
behavioral1/memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2360	bcdedit.exe
2876	bcdedit.exe
2636	bcdedit.exe
2544	bcdedit.exe
1504	bcdedit.exe
1784	bcdedit.exe
648	bcdedit.exe
544	bcdedit.exe
2772	bcdedit.exe
808	bcdedit.exe
944	bcdedit.exe
2688	bcdedit.exe
2696	bcdedit.exe
1648	bcdedit.exe

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018b6a-157.dat	UPX
behavioral1/memory/2104-159-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/2724-162-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX
behavioral1/memory/2104-163-0x0000000000400000-0x00000000008DF000-memory.dmp	UPX

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2376	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 6 IoCs

pid	Process
2788	csrss.exe
2672	patch.exe
1848	injector.exe
1588	dsefix.exe
2104	windefender.exe
2724	windefender.exe

Loads dropped DLL 13 IoCs

pid	Process
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
864	Process not Found
2672	patch.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
2788	csrss.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
2788	csrss.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018b6a-157.dat	upx
behavioral1/memory/2104-159-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2724-162-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2104-163-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
File created	C:\Windows\rss\csrss.exe	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240315005029.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
272	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1996	schtasks.exe
2744	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe
1848	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Token: SeImpersonatePrivilege	1952	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
Token: SeSystemEnvironmentPrivilege	2788	csrss.exe
Token: SeSecurityPrivilege	272	sc.exe
Token: SeSecurityPrivilege	272	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2004	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	33
PID 2560 wrote to memory of 2004	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	33
PID 2560 wrote to memory of 2004	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	33
PID 2560 wrote to memory of 2004	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	33
PID 2004 wrote to memory of 2376	2004	cmd.exe	35
PID 2004 wrote to memory of 2376	2004	cmd.exe	35
PID 2004 wrote to memory of 2376	2004	cmd.exe	35
PID 2560 wrote to memory of 2788	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	36
PID 2560 wrote to memory of 2788	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	36
PID 2560 wrote to memory of 2788	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	36
PID 2560 wrote to memory of 2788	2560	f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe	36
PID 2788 wrote to memory of 1848	2788	csrss.exe	44
PID 2788 wrote to memory of 1848	2788	csrss.exe	44
PID 2788 wrote to memory of 1848	2788	csrss.exe	44
PID 2788 wrote to memory of 1848	2788	csrss.exe	44
PID 2672 wrote to memory of 2360	2672	patch.exe	49
PID 2672 wrote to memory of 2360	2672	patch.exe	49
PID 2672 wrote to memory of 2360	2672	patch.exe	49
PID 2672 wrote to memory of 2876	2672	patch.exe	51
PID 2672 wrote to memory of 2876	2672	patch.exe	51
PID 2672 wrote to memory of 2876	2672	patch.exe	51
PID 2672 wrote to memory of 2636	2672	patch.exe	53
PID 2672 wrote to memory of 2636	2672	patch.exe	53
PID 2672 wrote to memory of 2636	2672	patch.exe	53
PID 2672 wrote to memory of 2544	2672	patch.exe	55
PID 2672 wrote to memory of 2544	2672	patch.exe	55
PID 2672 wrote to memory of 2544	2672	patch.exe	55
PID 2672 wrote to memory of 1504	2672	patch.exe	57
PID 2672 wrote to memory of 1504	2672	patch.exe	57
PID 2672 wrote to memory of 1504	2672	patch.exe	57
PID 2672 wrote to memory of 1784	2672	patch.exe	59
PID 2672 wrote to memory of 1784	2672	patch.exe	59
PID 2672 wrote to memory of 1784	2672	patch.exe	59
PID 2672 wrote to memory of 648	2672	patch.exe	61
PID 2672 wrote to memory of 648	2672	patch.exe	61
PID 2672 wrote to memory of 648	2672	patch.exe	61
PID 2672 wrote to memory of 544	2672	patch.exe	63
PID 2672 wrote to memory of 544	2672	patch.exe	63
PID 2672 wrote to memory of 544	2672	patch.exe	63
PID 2672 wrote to memory of 2772	2672	patch.exe	65
PID 2672 wrote to memory of 2772	2672	patch.exe	65
PID 2672 wrote to memory of 2772	2672	patch.exe	65
PID 2672 wrote to memory of 808	2672	patch.exe	67
PID 2672 wrote to memory of 808	2672	patch.exe	67
PID 2672 wrote to memory of 808	2672	patch.exe	67
PID 2672 wrote to memory of 944	2672	patch.exe	69
PID 2672 wrote to memory of 944	2672	patch.exe	69
PID 2672 wrote to memory of 944	2672	patch.exe	69
PID 2672 wrote to memory of 2688	2672	patch.exe	71
PID 2672 wrote to memory of 2688	2672	patch.exe	71
PID 2672 wrote to memory of 2688	2672	patch.exe	71
PID 2672 wrote to memory of 2696	2672	patch.exe	73
PID 2672 wrote to memory of 2696	2672	patch.exe	73
PID 2672 wrote to memory of 2696	2672	patch.exe	73
PID 2788 wrote to memory of 1648	2788	csrss.exe	75
PID 2788 wrote to memory of 1648	2788	csrss.exe	75
PID 2788 wrote to memory of 1648	2788	csrss.exe	75
PID 2788 wrote to memory of 1648	2788	csrss.exe	75
PID 2788 wrote to memory of 1588	2788	csrss.exe	77
PID 2788 wrote to memory of 1588	2788	csrss.exe	77
PID 2788 wrote to memory of 1588	2788	csrss.exe	77
PID 2788 wrote to memory of 1588	2788	csrss.exe	77
PID 2104 wrote to memory of 820	2104	windefender.exe	84
PID 2104 wrote to memory of 820	2104	windefender.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
"C:\Users\Admin\AppData\Local\Temp\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
- C:\Users\Admin\AppData\Local\Temp\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe
  "C:\Users\Admin\AppData\Local\Temp\f341a49386ec2b702dbbdd39d5010b9c1b8742d678864844f0012b3e4ee6a8cb.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:2376
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1996
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:372
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2360
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2876
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2636
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2544
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1504
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1784
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:648
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:544
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2772
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:808
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:944
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2688
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1848
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:1588
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2744
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:820
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:272

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240315005029.log C:\Windows\Logs\CBS\CbsPersist_20240315005029.cab
1⤵
- Drops file in Windows directory
PID:2464

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0C9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD3AD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
154KB

MD5
67a0369a6d4764c9795fa3f696e8194c

SHA1
f1b205a620567783e6007fa8b7ccb6bea05bfde6

SHA256
081435a05fd8140994348aa835324fa01bc8884bbc6956ad22eb9d8c7b73f5c1

SHA512
20e7a773bf15a20ab398efa73957e5e90850a97b4a31fca11359ca2746390bb5ee858831bb340e805f6c3bd2264e5965955d5bbfc2505d9761ac666cb5e967eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.1MB

MD5
91e28c899b70a8d209a1b1cf2fb55ca6

SHA1
fcf9e54c9527b49df295762746100ffe7220a134

SHA256
3abb91bd241783dfb812ad92d8f9f77125b0dcb903b7540a31729e7b4d7c3f8e

SHA512
b78639664b7b65885b00bcbb79a28a591fad19f0758b298257cf40f0f26db663134851ff38cc093848e014c8ca38666446abce1057bca1377a4e1b581bbeee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
780KB

MD5
196488835057e60de41cdedb831bd74e

SHA1
eabccc7ce16b239719873a56ca7093958ffc5a24

SHA256
a12dbec18619a40e9c19ce5a5d2f826a9630146241cbec0d020c8b3da748360a

SHA512
a92ad53bb980b2db136bed2f4bf37dc0f56e5558a3848fa33167a578f83e28b857bf723363cd736d5dd87286f04fe838df69be188158cef52bcff659eb8b8951

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.5MB

MD5
347c7e99639c22cd29c70aa2c41e51f6

SHA1
ef5dca389d24957564752c5c63e50bbcecea072a

SHA256
234b22a9739c670d9dc330df6f0f0769d633d0f3667509f54a73a459194585ed

SHA512
6feffa137f552f831993f48e275328b252610b80d4993a47ebb652f5348dc6b20d0bba6efeccd8bb64fa3fd98b0c22c06af1d820965ed4efb1ba8fe484b86b89

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.2MB

MD5
4ccbba432d39951b56f721e28dd37307

SHA1
4961c09691bed66d7bb019c5077ab2805e3601b3

SHA256
98e6a96b7630bc3f975a03545d59e855b62bb7d933732eb5c4b8c63fa9e88268

SHA512
bfc31dd363e7e76d72c6724b63b5ebe5f5afeecc5aec544301f2566b8308d5533e237613c233d824822f92a6b52d8169ffb2e65213bc40232417b0589ab42acb

Download Submit
C:\Windows\rss\csrss.exe

Filesize
112KB

MD5
45006ff3e3774797cd1fe591af1957d2

SHA1
603584bd121270025b97fb942743fb98d7d22630

SHA256
b8d0bfe3e84e062799282e46e8949bb1593b8b8118f0b2f08f9fd9a0d52042c4

SHA512
b34b3af2685abacd25e89a049de9bdfc0faa8b100e0eeb5ac76775f61db338aaf1c40d9265a0a6ab13feb90bcce5b5cf78378203692b00619a7efd27ed5d3dba

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
68KB

MD5
4200bbe4590a103eebe5af2065eae400

SHA1
758e5b9a7ee44faf13ed999a385848e73b9c0dd8

SHA256
48a48144d225a849041a95f67b7fc62ae50d2ce875bb0c3a69cd0c9b700abf5e

SHA512
02b704edc52de6f4a847b9df894dd43eba422cbff3599057be3682713b42ca7783937095f048b11d8023276193b18db5dbc4b2902ef6a589f78404df3cd28d06

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.1MB

MD5
8b2d1aa65f15169951807d3b5b5f3b99

SHA1
81bf5827bd3260eb4c27f51fba11d568bde76fdf

SHA256
75d9ed8f1ee959ecd05c576710cac6450b5ddb4ab9dae3bb674f58021a2803ef

SHA512
cb5b58e6f8f53e8bfd417a4ac2e96820d36294ba6272c0fcb9c449a0fd4aac1d70f6d70922ae6f0fe8596d4e9338c1deb7ccb472ce7d863ce953a07f659af869

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.3MB

MD5
ac2be4601fb046b744414f47e6ae2b54

SHA1
6ddcfc27e2ca743dc2df4b8e000cf19bd611a54a

SHA256
1980d7cc83b35eecca56fce543479b7c6fd29ab6a90f49ce116b173cb3680745

SHA512
90367f33ab1343a4fbf0be05119f71ab3a77121252f2b8786851dbf2f05d326e1d4a2221dd41714fa6165b41d0d5f922aa89d97fce2d60529692c304e902cb96

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
480KB

MD5
0cdb1f1165923bb955fe17ae5f2f7256

SHA1
5c5cc2aa69f1cd74f60ded882f6386e85c7dbb71

SHA256
002e0a6de1e1efbc029d8228aaa75bb7c4a6095c5c612ac92d9a8d51db1296d2

SHA512
812315dd9151bca01fa614984fde21d36009a6cd27928b6b16e01bf11374d9308f757fa95e25eb55309f55ffa5e87b9b0fac4dc6eeb2fdf26ef519d3df37c599

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
832KB

MD5
b90b36d0b7fbfda604135ce78819cd91

SHA1
adb3689e35e07241cf5d5bada3292089a13e3995

SHA256
6e995e79eb28b5b9938ae2b30532df6d3d9a6a75268300fb4c64e30fa6883435

SHA512
81c83396dd3f01ac78af2ac9e22cd01276105ac888311d6571f43b6c680f08e2d64be1b7dfebfc6eb520074f4c05a41fe166d39bea5a4820e002e5f26e5f6c65

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
880KB

MD5
cc9f6a9538eab5d7382d13f226389bf2

SHA1
5e88fca0113c7139bbb7014cebe368fe542c43d9

SHA256
bcad825dace98a00ea023a34ab0659bd4bdf3f6c2d361b358bce42006e090603

SHA512
a65efcbc530acf01e7fee07659af1c3541aece428c48d06394a5b8fcd53184abe7037e5a3362f8f5bb43057ee61845111d04c4139d2bbb932bb9c3ab8bb5d9c4

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
866KB

MD5
5dbc5ba5cb8d6594a854f24153e7a6b2

SHA1
0418a20406ab3018aed0e832f352a5b73aeffb28

SHA256
9d810de7be883f5fdd91eed70e3065ec4478a012c6e304ab87d43e2db1b046aa

SHA512
4c5ca557cbf95586cf0d00890a503900b6d1d4c180e3ab94726d4c0fc9aea28d12794ef1198620eeb24bd144e6abad323ae3bc6d53c09bace470eaf796f6009a

Download Submit
\Windows\rss\csrss.exe

Filesize
1.3MB

MD5
96003e18c84c395eea8e3731e0fc61fe

SHA1
e255283130cb6f5a1698e8e885caf1e0484f94c5

SHA256
35a6911e5494708165af840c22a02013feb905875b718479558327f6c887d09d

SHA512
f1b24d0d4a78114335b2c97bf70569100256e0dda53ba38e9c055eb2f9719f4ae1897ce771efaf3cbe716bbefafdbaa1a2a7602d817d85e0aab377b9f23e06e9

Download Submit
memory/1952-1-0x0000000000F70000-0x0000000001368000-memory.dmp

Filesize
4.0MB

Download
memory/1952-7-0x0000000000F70000-0x0000000001368000-memory.dmp

Filesize
4.0MB

Download
memory/1952-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1952-0-0x0000000000F70000-0x0000000001368000-memory.dmp

Filesize
4.0MB

Download
memory/1952-6-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/1952-2-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/1952-5-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2104-163-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2104-159-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2560-8-0x0000000000F20000-0x0000000001318000-memory.dmp

Filesize
4.0MB

Download
memory/2560-4-0x0000000000F20000-0x0000000001318000-memory.dmp

Filesize
4.0MB

Download
memory/2560-19-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2560-9-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2560-20-0x0000000000F20000-0x0000000001318000-memory.dmp

Filesize
4.0MB

Download
memory/2672-48-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2672-42-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2724-162-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2788-104-0x0000000000F60000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/2788-134-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-121-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-123-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-124-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-105-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-119-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-103-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-22-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-18-0x0000000000F60000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/2788-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-107-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-106-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2788-21-0x0000000000F60000-0x0000000001358000-memory.dmp

Filesize
4.0MB

Download
memory/2788-164-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download