glupteba | b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Size

4.1MB
MD5

008125769572e242cceb203923c0e4b9
SHA1

003bbe8acc6e56f581f60abf2f57fd3a62b9110b
SHA256

b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9
SHA512

26bddc1e4c17a4c327d3b94ae24146a6ed0c9f1e1f87d1fb97fa2bd6cf2b5051edab8f5ffc182cd981aa48414872033f1a854c451ac1149652b34130f56a5d27
SSDEEP

49152:eE+O2B5SstDYqZxVPtpkEwA7Qrnl/tx8+SxZSsAFXhDl23F7LaG/eLHz6fwEpDNU:eEd2+PoZk/AyFxRLzRDQ2SHpIYKCau6

Score

10^/10

glupteba discovery dropper evasion loader persistence privilege_escalation rootkit trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/1724-2-0x0000000004DD0000-0x0000000005647000-memory.dmp	family_glupteba
behavioral1/memory/1724-3-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/1724-6-0x0000000004DD0000-0x0000000005647000-memory.dmp	family_glupteba
behavioral1/memory/1724-8-0x0000000000400000-0x0000000000C91000-memory.dmp	family_glupteba
behavioral1/memory/1724-5-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2772-18-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-66-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-70-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-80-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-101-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-102-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-103-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-104-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-105-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-106-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-107-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-108-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-109-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba
behavioral1/memory/2612-110-0x0000000000400000-0x0000000003002000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1916	bcdedit.exe
836	bcdedit.exe
1888	bcdedit.exe
1896	bcdedit.exe
908	bcdedit.exe
1276	bcdedit.exe
2464	bcdedit.exe
3048	bcdedit.exe
2544	bcdedit.exe
2556	bcdedit.exe
1484	bcdedit.exe
1288	bcdedit.exe
1088	bcdedit.exe
1664	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2752	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 4 IoCs

pid	Process
2612	csrss.exe
1452	patch.exe
1324	injector.exe
1924	dsefix.exe

Loads dropped DLL 13 IoCs

pid	Process
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
864	Process not Found
1452	patch.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
2612	csrss.exe
1452	patch.exe
1452	patch.exe
1452	patch.exe
2612	csrss.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20241223135851.cab	makecab.exe
File opened for modification	C:\Windows\rss	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1248	schtasks.exe
696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
2612	csrss.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
2612	csrss.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe
1324	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Token: SeImpersonatePrivilege	1724	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
Token: SeSystemEnvironmentPrivilege	2612	csrss.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2832	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	36
PID 2772 wrote to memory of 2832	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	36
PID 2772 wrote to memory of 2832	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	36
PID 2772 wrote to memory of 2832	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	36
PID 2832 wrote to memory of 2752	2832	cmd.exe	38
PID 2832 wrote to memory of 2752	2832	cmd.exe	38
PID 2832 wrote to memory of 2752	2832	cmd.exe	38
PID 2772 wrote to memory of 2612	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	39
PID 2772 wrote to memory of 2612	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	39
PID 2772 wrote to memory of 2612	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	39
PID 2772 wrote to memory of 2612	2772	JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe	39
PID 2612 wrote to memory of 1324	2612	csrss.exe	46
PID 2612 wrote to memory of 1324	2612	csrss.exe	46
PID 2612 wrote to memory of 1324	2612	csrss.exe	46
PID 2612 wrote to memory of 1324	2612	csrss.exe	46
PID 1452 wrote to memory of 1916	1452	patch.exe	49
PID 1452 wrote to memory of 1916	1452	patch.exe	49
PID 1452 wrote to memory of 1916	1452	patch.exe	49
PID 1452 wrote to memory of 836	1452	patch.exe	51
PID 1452 wrote to memory of 836	1452	patch.exe	51
PID 1452 wrote to memory of 836	1452	patch.exe	51
PID 1452 wrote to memory of 1888	1452	patch.exe	53
PID 1452 wrote to memory of 1888	1452	patch.exe	53
PID 1452 wrote to memory of 1888	1452	patch.exe	53
PID 1452 wrote to memory of 1896	1452	patch.exe	55
PID 1452 wrote to memory of 1896	1452	patch.exe	55
PID 1452 wrote to memory of 1896	1452	patch.exe	55
PID 1452 wrote to memory of 908	1452	patch.exe	57
PID 1452 wrote to memory of 908	1452	patch.exe	57
PID 1452 wrote to memory of 908	1452	patch.exe	57
PID 1452 wrote to memory of 1276	1452	patch.exe	59
PID 1452 wrote to memory of 1276	1452	patch.exe	59
PID 1452 wrote to memory of 1276	1452	patch.exe	59
PID 1452 wrote to memory of 2464	1452	patch.exe	61
PID 1452 wrote to memory of 2464	1452	patch.exe	61
PID 1452 wrote to memory of 2464	1452	patch.exe	61
PID 1452 wrote to memory of 3048	1452	patch.exe	63
PID 1452 wrote to memory of 3048	1452	patch.exe	63
PID 1452 wrote to memory of 3048	1452	patch.exe	63
PID 1452 wrote to memory of 2544	1452	patch.exe	65
PID 1452 wrote to memory of 2544	1452	patch.exe	65
PID 1452 wrote to memory of 2544	1452	patch.exe	65
PID 1452 wrote to memory of 2556	1452	patch.exe	67
PID 1452 wrote to memory of 2556	1452	patch.exe	67
PID 1452 wrote to memory of 2556	1452	patch.exe	67
PID 1452 wrote to memory of 1484	1452	patch.exe	69
PID 1452 wrote to memory of 1484	1452	patch.exe	69
PID 1452 wrote to memory of 1484	1452	patch.exe	69
PID 1452 wrote to memory of 1288	1452	patch.exe	71
PID 1452 wrote to memory of 1288	1452	patch.exe	71
PID 1452 wrote to memory of 1288	1452	patch.exe	71
PID 1452 wrote to memory of 1088	1452	patch.exe	73
PID 1452 wrote to memory of 1088	1452	patch.exe	73
PID 1452 wrote to memory of 1088	1452	patch.exe	73
PID 2612 wrote to memory of 1664	2612	csrss.exe	75
PID 2612 wrote to memory of 1664	2612	csrss.exe	75
PID 2612 wrote to memory of 1664	2612	csrss.exe	75
PID 2612 wrote to memory of 1664	2612	csrss.exe	75
PID 2612 wrote to memory of 1924	2612	csrss.exe	77
PID 2612 wrote to memory of 1924	2612	csrss.exe	77
PID 2612 wrote to memory of 1924	2612	csrss.exe	77
PID 2612 wrote to memory of 1924	2612	csrss.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:2752
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1248
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1916
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:836
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1888
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1896
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:908
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1276
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2464
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3048
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2544
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2556
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1484
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1288
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1324
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:1924
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:696

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241223135851.log C:\Windows\Logs\CBS\CbsPersist_20241223135851.cab
1⤵
- Drops file in Windows directory
PID:1424

Network

DNS

76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

csrss.exe

Remote address:

8.8.8.8:53

Request

76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

IN TXT

Response
DNS

msdl.microsoft.com

patch.exe

Remote address:

8.8.8.8:53

Request

msdl.microsoft.com

IN A

Response

msdl.microsoft.com

IN CNAME

msdl.microsoft.akadns.net

msdl.microsoft.akadns.net

IN CNAME

msdl-microsoft-com.a-0016.a-msedge.net

msdl-microsoft-com.a-0016.a-msedge.net

IN CNAME

a-0016.a-msedge.net

a-0016.a-msedge.net

IN A

204.79.197.219
GET

https://msdl.microsoft.com/download/symbols/index2.txt

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 99CBFD55ED644B868E98D2A6A81D799B Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:09Z
Date: Mon, 23 Dec 2024 13:59:08 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 9182CCD01615475FAC4AB5D393F25A16 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:09Z
Date: Mon, 23 Dec 2024 13:59:08 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 8AF5A3216510484985A2D9EAEF0C1803 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:19Z
Date: Mon, 23 Dec 2024 13:59:19 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/index2.txt

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/index2.txt HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 1B71249D144A42C4A18B556D625EF67B Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:30Z
Date: Mon, 23 Dec 2024 13:59:29 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
X-Cache: TCP_MISS
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: D20C3422CC154B99B9142D4C6A3AB83F Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:30Z
Date: Mon, 23 Dec 2024 13:59:29 GMT
Content-Length: 0
GET

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

patch.exe

Remote address:

204.79.197.219:443

Request

GET /download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Host: msdl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

Location: https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
X-Cache: TCP_HIT
Strict-Transport-Security: includeSubDomains
X-MSEdge-Ref: Ref A: 959DF252C0BE4286ADAE0055A1EA9F66 Ref B: LON04EDGE0814 Ref C: 2024-12-23T13:59:32Z
Date: Mon, 23 Dec 2024 13:59:31 GMT
Content-Length: 0
DNS

vsblobprodscussu5shard30.blob.core.windows.net

patch.exe

Remote address:

8.8.8.8:53

Request

vsblobprodscussu5shard30.blob.core.windows.net

IN A

Response

vsblobprodscussu5shard30.blob.core.windows.net

IN CNAME

blob.sat09prdstrz08a.store.core.windows.net

blob.sat09prdstrz08a.store.core.windows.net

IN CNAME

blob.sat09prdstrz08a.trafficmanager.net

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.38.228

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.79.68

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.70.36
GET

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

patch.exe

Remote address:

20.150.38.228:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard30.blob.core.windows.net

Response

HTTP/1.1 200 OK

Content-Length: 8752128
Content-Type: application/octet-stream
Content-Language: x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ef93b483-a01e-003c-3842-557fcf000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Mon, 23 Dec 2024 13:59:09 GMT
GET

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

patch.exe

Remote address:

20.150.38.228:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard30.blob.core.windows.net

Response

HTTP/1.1 200 OK

Content-Length: 8752128
Content-Type: application/octet-stream
Content-Language: x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d
Last-Modified: Mon, 12 Jun 2017 21:34:21 GMT
Accept-Ranges: bytes
ETag: "0x8D4B1DACA398C54"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: ef93c1c0-a01e-003c-2842-557fcf000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 05 May 2017 08:24:14 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Mon, 23 Dec 2024 13:59:19 GMT
DNS

vsblobprodscussu5shard20.blob.core.windows.net

patch.exe

Remote address:

8.8.8.8:53

Request

vsblobprodscussu5shard20.blob.core.windows.net

IN A

Response

vsblobprodscussu5shard20.blob.core.windows.net

IN CNAME

blob.sat09prdstrz08a.store.core.windows.net

blob.sat09prdstrz08a.store.core.windows.net

IN CNAME

blob.sat09prdstrz08a.trafficmanager.net

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.38.228

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.70.36

blob.sat09prdstrz08a.trafficmanager.net

IN A

20.150.79.68
GET

https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

patch.exe

Remote address:

20.150.38.228:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard20.blob.core.windows.net

Response

HTTP/1.1 200 OK

Content-Length: 503808
Content-Type: application/octet-stream
Content-Language: x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
Accept-Ranges: bytes
ETag: "0x8DC23A6A7A80D5E"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b351b99b-c01e-0005-6142-5584d3000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Mon, 23 Dec 2024 13:59:31 GMT
GET

https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

patch.exe

Remote address:

20.150.38.228:443

Request

GET /b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d HTTP/1.1
Accept-Encoding: gzip
User-Agent: Microsoft-Symbol-Server/10.0.10586.567
Connection: Keep-Alive
Cache-Control: no-cache
Host: vsblobprodscussu5shard20.blob.core.windows.net

Response

HTTP/1.1 200 OK

Content-Length: 503808
Content-Type: application/octet-stream
Content-Language: x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d
Last-Modified: Fri, 02 Feb 2024 04:23:06 GMT
Accept-Ranges: bytes
ETag: "0x8DC23A6A7A80D5E"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: b351bc44-c01e-0005-5642-5584d3000000
x-ms-version: 2019-07-07
x-ms-creation-time: Fri, 02 Feb 2024 04:23:06 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Access-Control-Expose-Headers: Content-Length
Access-Control-Allow-Origin: *
Date: Mon, 23 Dec 2024 13:59:32 GMT
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

2.19.252.143

a1363.dscg.akamai.net

IN A

2.19.252.157
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

2.19.252.143:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Mon, 23 Dec 2024 13:59:39 GMT
Connection: keep-alive
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

95.100.245.144
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

95.100.245.144:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: e4f947ba-101e-006b-4fef-2bd01e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
X-EdgeConnect-Origin-MEX-Latency: 111
Date: Mon, 23 Dec 2024 13:59:39 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV18b09cd1.0
ms-cv-esi: CASMicrosoftCV18b09cd1.0
X-RTag: RT
DNS

stun.stunprotocol.org

csrss.exe

Remote address:

8.8.8.8:53

Request

stun.stunprotocol.org

IN A

Response

stun.stunprotocol.org

IN A

127.0.0.1
DNS

cdn.discordapp.com

csrss.exe

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.133.233
DNS

stun.sipgate.net

csrss.exe

Remote address:

8.8.8.8:53

Request

stun.sipgate.net

IN A

Response

stun.sipgate.net

IN CNAME

stun.sipgate.cloud

stun.sipgate.cloud

IN CNAME

a6adcb4b9bf816abe.awsglobalaccelerator.com

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

15.197.250.192

a6adcb4b9bf816abe.awsglobalaccelerator.com

IN A

3.33.249.248
DNS

blockchain.info

csrss.exe

Remote address:

8.8.8.8:53

Request

blockchain.info

IN A

Response

blockchain.info

IN A

104.16.237.243

blockchain.info

IN A

104.16.236.243
DNS

server6.statscreate.org

csrss.exe

Remote address:

8.8.8.8:53

Request

server6.statscreate.org

IN A

Response

204.79.197.219:443

https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

tls, http

patch.exe

2.8kB
10.8kB
17
21

HTTP Request

GET https://msdl.microsoft.com/download/symbols/index2.txt

HTTP Response

404

HTTP Request

GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E2/ntkrnlmp.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/index2.txt

HTTP Response

404

HTTP Request

GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

HTTP Response

302

HTTP Request

GET https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb

HTTP Response

302
20.150.38.228:443

https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

tls, http

patch.exe

335.5kB
18.1MB
7094
13003

HTTP Request

GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

HTTP Response

200

HTTP Request

GET https://vsblobprodscussu5shard30.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/532FE4B89C0696BBB1F353A7F1CAFE02D477AF8648ED3B34046FF47FBB7FF1EC00.blob?sv=2019-07-07&sr=b&sig=txl4S7679r4YGhnxcEXTVbSbFBYtin6eoObzGpszFPE%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T09%3A24%3A11Z&ske=2024-12-25T10%3A24%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A19%3A30Z&sp=r&rscl=x-e2eid-1dc01477-bbb54c35-8768c0dd-c32f2c9e-session-66a0bbd4-3327490a-be498c32-8683bc9d

HTTP Response

200
20.150.38.228:443

https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

tls, http

patch.exe

27.5kB
1.1MB
524
756

HTTP Request

GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

HTTP Response

200

HTTP Request

GET https://vsblobprodscussu5shard20.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/13DA6A038B00D25FB112C12EFB833E142050BFD31BF99A3458E647A3C6B0BCCD00.blob?sv=2019-07-07&sr=b&sig=sK6OHu17cXFM24Gx9Ke%2FCIgCBKXrBSFPiK81N69YqF4%3D&skoid=4866d8d7-57cb-4216-997d-bade18bdbe68&sktid=33e01921-4d64-4f8c-a055-5bdaffd5e33d&skt=2024-12-23T10%3A06%3A11Z&ske=2024-12-25T11%3A06%3A11Z&sks=b&skv=2019-07-07&se=2024-12-24T14%3A04%3A39Z&sp=r&rscl=x-e2eid-95e1ee86-aaf845d6-b524b1b8-f60d8a2e-session-66a0483c-3327490a-be498c32-8683bc9d

HTTP Response

200
2.19.252.143:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

399 B
1.7kB
4
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200
95.100.245.144:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.8kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200
162.159.134.233:443

cdn.discordapp.com

tls

csrss.exe

1.2kB
5.5kB
14
15
127.0.0.1:31464

csrss.exe
127.0.0.1:31464

csrss.exe
127.0.0.1:31464

csrss.exe
104.16.237.243:443

blockchain.info

tls

csrss.exe

1.3kB
12.8kB
15
21

8.8.8.8:53

76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion

dns

csrss.exe

150 B
225 B
1
1

DNS Request

76611da0-fcc7-4649-bc48-1658ce309b32.uuid.dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
8.8.8.8:53

msdl.microsoft.com

dns

patch.exe

64 B
182 B
1
1

DNS Request

msdl.microsoft.com

DNS Response

204.79.197.219
8.8.8.8:53

vsblobprodscussu5shard30.blob.core.windows.net

dns

patch.exe

92 B
231 B
1
1

DNS Request

vsblobprodscussu5shard30.blob.core.windows.net

DNS Response

20.150.38.228

20.150.79.68

20.150.70.36
8.8.8.8:53

vsblobprodscussu5shard20.blob.core.windows.net

dns

patch.exe

92 B
231 B
1
1

DNS Request

vsblobprodscussu5shard20.blob.core.windows.net

DNS Response

20.150.38.228

20.150.70.36

20.150.79.68
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

2.19.252.143

2.19.252.157
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

95.100.245.144
8.8.8.8:53

stun.stunprotocol.org

dns

csrss.exe

67 B
83 B
1
1

DNS Request

stun.stunprotocol.org

DNS Response

127.0.0.1
8.8.8.8:53

cdn.discordapp.com

dns

csrss.exe

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.134.233

162.159.130.233

162.159.129.233

162.159.135.233

162.159.133.233
127.0.0.1:3478

csrss.exe
8.8.8.8:53

stun.sipgate.net

dns

csrss.exe

62 B
182 B
1
1

DNS Request

stun.sipgate.net

DNS Response

15.197.250.192

3.33.249.248
15.197.250.192:3478

stun.sipgate.net

csrss.exe

48 B
124 B
1
1
8.8.8.8:53

blockchain.info

dns

csrss.exe

61 B
93 B
1
1

DNS Request

blockchain.info

DNS Response

104.16.237.243

104.16.236.243
8.8.8.8:53

server6.statscreate.org

dns

csrss.exe

69 B
151 B
1
1

DNS Request

server6.statscreate.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
008125769572e242cceb203923c0e4b9

SHA1
003bbe8acc6e56f581f60abf2f57fd3a62b9110b

SHA256
b4dff52e74650c7d6515e360edc3f81224121780fba00fb27a1136ebff6713d9

SHA512
26bddc1e4c17a4c327d3b94ae24146a6ed0c9f1e1f87d1fb97fa2bd6cf2b5051edab8f5ffc182cd981aa48414872033f1a854c451ac1149652b34130f56a5d27

Download Submit
memory/1452-36-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1452-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1724-3-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1724-0-0x00000000032C0000-0x00000000036A9000-memory.dmp

Filesize
3.9MB

Download
memory/1724-5-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/1724-7-0x00000000032C0000-0x00000000036A9000-memory.dmp

Filesize
3.9MB

Download
memory/1724-8-0x0000000000400000-0x0000000000C91000-memory.dmp

Filesize
8.6MB

Download
memory/1724-1-0x00000000032C0000-0x00000000036A9000-memory.dmp

Filesize
3.9MB

Download
memory/1724-6-0x0000000004DD0000-0x0000000005647000-memory.dmp

Filesize
8.5MB

Download
memory/1724-2-0x0000000004DD0000-0x0000000005647000-memory.dmp

Filesize
8.5MB

Download
memory/2612-108-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-104-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-17-0x00000000033E0000-0x00000000037C9000-memory.dmp

Filesize
3.9MB

Download
memory/2612-80-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-70-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-101-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-66-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-102-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-103-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-111-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-105-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-106-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-107-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-110-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2612-109-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2772-18-0x0000000000400000-0x0000000003002000-memory.dmp

Filesize
44.0MB

Download
memory/2772-4-0x0000000003550000-0x0000000003939000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.