glupteba | d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad

Analysis

max time kernel
299s
max time network
280s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Size

4.2MB
MD5

2a078595bc7b06b6c0a40602c54655e5
SHA1

9089522396d2f55532e3f4ecfd7a6c212e644d81
SHA256

d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad
SHA512

8404453e3da38a8c28d1b26c548e848002e608f935a9a12b66be91912f5ff44c496ab0b834c957d1dab9fa264d5c95b11a24db7ae7743e15e50dbdaa60d9299f
SSDEEP

98304:kaNbqhCdxeFU4O1fE+zS7qSCmefXoHWeJEEWIG/KhNefuiDKg:katqhS4FIu+O7BChvI4KhEuiDP

Score

10^/10

glupteba discovery dropper evasion loader persistence ransomware rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 37 IoCs

resource	yara_rule
behavioral1/memory/1212-2-0x00000000029D0000-0x00000000032BB000-memory.dmp	family_glupteba
behavioral1/memory/1212-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1212-4-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1212-6-0x00000000029D0000-0x00000000032BB000-memory.dmp	family_glupteba
behavioral1/memory/2604-9-0x0000000002A10000-0x00000000032FB000-memory.dmp	family_glupteba
behavioral1/memory/2604-10-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2604-19-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-34-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-106-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-110-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-111-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-138-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-142-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-148-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-150-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-152-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-154-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-156-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-158-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-160-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-164-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-166-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-168-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-170-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-172-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-174-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-176-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-178-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-180-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-184-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-186-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-188-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-190-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-192-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-194-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2552-196-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
968	bcdedit.exe
904	bcdedit.exe
1720	bcdedit.exe
2984	bcdedit.exe
2940	bcdedit.exe
1756	bcdedit.exe
2268	bcdedit.exe
2012	bcdedit.exe
280	bcdedit.exe
1776	bcdedit.exe
848	bcdedit.exe
2108	bcdedit.exe
1400	bcdedit.exe
1228	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1748	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 6 IoCs

pid	Process
2552	csrss.exe
1476	patch.exe
2856	injector.exe
2060	dsefix.exe
2840	windefender.exe
1764	windefender.exe

Loads dropped DLL 13 IoCs

pid	Process
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
868	Process not Found
1476	patch.exe
1476	patch.exe
1476	patch.exe
1476	patch.exe
1476	patch.exe
2552	csrss.exe
1476	patch.exe
1476	patch.exe
1476	patch.exe
2552	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015c71-141.dat	upx
behavioral1/memory/2840-143-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0007000000015c71-144.dat	upx
behavioral1/memory/1764-147-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2840-146-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0007000000015c71-145.dat	upx
behavioral1/memory/1764-149-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1764-153-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
File created	C:\Windows\rss\csrss.exe	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204035906.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1952	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
952	schtasks.exe
1840	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2552	csrss.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2552	csrss.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2552	csrss.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe
2856	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Token: SeImpersonatePrivilege	1212	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
Token: SeSystemEnvironmentPrivilege	2552	csrss.exe
Token: SeSecurityPrivilege	1952	sc.exe
Token: SeSecurityPrivilege	1952	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2656	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	33
PID 2604 wrote to memory of 2656	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	33
PID 2604 wrote to memory of 2656	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	33
PID 2604 wrote to memory of 2656	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	33
PID 2656 wrote to memory of 1748	2656	cmd.exe	35
PID 2656 wrote to memory of 1748	2656	cmd.exe	35
PID 2656 wrote to memory of 1748	2656	cmd.exe	35
PID 2604 wrote to memory of 2552	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	36
PID 2604 wrote to memory of 2552	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	36
PID 2604 wrote to memory of 2552	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	36
PID 2604 wrote to memory of 2552	2604	d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe	36
PID 2552 wrote to memory of 2856	2552	csrss.exe	45
PID 2552 wrote to memory of 2856	2552	csrss.exe	45
PID 2552 wrote to memory of 2856	2552	csrss.exe	45
PID 2552 wrote to memory of 2856	2552	csrss.exe	45
PID 1476 wrote to memory of 1228	1476	patch.exe	76
PID 1476 wrote to memory of 1228	1476	patch.exe	76
PID 1476 wrote to memory of 1228	1476	patch.exe	76
PID 1476 wrote to memory of 1400	1476	patch.exe	74
PID 1476 wrote to memory of 1400	1476	patch.exe	74
PID 1476 wrote to memory of 1400	1476	patch.exe	74
PID 1476 wrote to memory of 968	1476	patch.exe	48
PID 1476 wrote to memory of 968	1476	patch.exe	48
PID 1476 wrote to memory of 968	1476	patch.exe	48
PID 1476 wrote to memory of 2108	1476	patch.exe	72
PID 1476 wrote to memory of 2108	1476	patch.exe	72
PID 1476 wrote to memory of 2108	1476	patch.exe	72
PID 1476 wrote to memory of 848	1476	patch.exe	70
PID 1476 wrote to memory of 848	1476	patch.exe	70
PID 1476 wrote to memory of 848	1476	patch.exe	70
PID 1476 wrote to memory of 1776	1476	patch.exe	68
PID 1476 wrote to memory of 1776	1476	patch.exe	68
PID 1476 wrote to memory of 1776	1476	patch.exe	68
PID 1476 wrote to memory of 280	1476	patch.exe	66
PID 1476 wrote to memory of 280	1476	patch.exe	66
PID 1476 wrote to memory of 280	1476	patch.exe	66
PID 1476 wrote to memory of 2012	1476	patch.exe	64
PID 1476 wrote to memory of 2012	1476	patch.exe	64
PID 1476 wrote to memory of 2012	1476	patch.exe	64
PID 1476 wrote to memory of 2268	1476	patch.exe	62
PID 1476 wrote to memory of 2268	1476	patch.exe	62
PID 1476 wrote to memory of 2268	1476	patch.exe	62
PID 1476 wrote to memory of 904	1476	patch.exe	50
PID 1476 wrote to memory of 904	1476	patch.exe	50
PID 1476 wrote to memory of 904	1476	patch.exe	50
PID 1476 wrote to memory of 1756	1476	patch.exe	60
PID 1476 wrote to memory of 1756	1476	patch.exe	60
PID 1476 wrote to memory of 1756	1476	patch.exe	60
PID 1476 wrote to memory of 2940	1476	patch.exe	58
PID 1476 wrote to memory of 2940	1476	patch.exe	58
PID 1476 wrote to memory of 2940	1476	patch.exe	58
PID 1476 wrote to memory of 2984	1476	patch.exe	56
PID 1476 wrote to memory of 2984	1476	patch.exe	56
PID 1476 wrote to memory of 2984	1476	patch.exe	56
PID 2552 wrote to memory of 1720	2552	csrss.exe	51
PID 2552 wrote to memory of 1720	2552	csrss.exe	51
PID 2552 wrote to memory of 1720	2552	csrss.exe	51
PID 2552 wrote to memory of 1720	2552	csrss.exe	51
PID 2552 wrote to memory of 2060	2552	csrss.exe	53
PID 2552 wrote to memory of 2060	2552	csrss.exe	53
PID 2552 wrote to memory of 2060	2552	csrss.exe	53
PID 2552 wrote to memory of 2060	2552	csrss.exe	53
PID 2840 wrote to memory of 2692	2840	windefender.exe	85
PID 2840 wrote to memory of 2692	2840	windefender.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
"C:\Users\Admin\AppData\Local\Temp\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe
  "C:\Users\Admin\AppData\Local\Temp\d6627ec8cf84e242044b4f093ee28562cf49b22451c6c0f687a13733d42e4bad.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Modifies data under HKEY_USERS
      PID:1748
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:968
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:904
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2984
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2940
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2268
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2012
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:280
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1776
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:848
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2108
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1400
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1228
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2468
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2856
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:2060
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1840
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2692

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204035906.log C:\Windows\Logs\CBS\CbsPersist_20240204035906.cab
1⤵
- Drops file in Windows directory
PID:2712

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1764

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
1KB

MD5
d9732eb46709a405abb2f1f1122c98f5

SHA1
d04975472590ce87064fbe1567aba8f18209f735

SHA256
d0a28a4cf02bc2a9068dab3c2e27d0ae26ac8dcca86d8e825a79396e53467561

SHA512
bfb888c7e4ad8e75e0804761f3320a13a22e68b9a9671094d22ee7f09a949392d7dddfd92ef5e95877d86d202a46846c429c08ce0b9023d3af8ba90bbdaa22ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
199KB

MD5
bc022c4381946412d3a3da0da43d81a8

SHA1
99109f1ca9d46e7e9ddcc24629996f21286737e9

SHA256
4ca841f772941cfbf891fa87a4d51e5d7b42798c10cbccd9eed4f7e65c9feaa2

SHA512
1e3c8ef7ff5a86bce79eed40ad536049a0053f05adb4b77e3ad17ac728b0c5edf5c4cfce0792f1b4bfc71a43ff1e2813a87b797a770b5c27d6f5938a0826abb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44F1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
171KB

MD5
d306f7d3735d2ca785df8cb3ca63e55b

SHA1
372bb59a0746f78f674435bc3775e3941dc301d1

SHA256
a7136e5388958a8bc97812a3ea9059d89bb0f3761a47036492f413333788742b

SHA512
d6d8bf6e4e24adff9fd5e5f0613fe2b34f5f485cd7b4172246d52b341a69fdf2ccdef934a5575b224337dbeb78e6267483cf373ddf13221775ab10d6a41eb4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
292KB

MD5
283ceea32fe539520f12247fd3b8562c

SHA1
b47fc3865e47f1c7d89d1d1cdcc88dcdf2e389d3

SHA256
fc252a0ed467599180ad450565130eb54bc5828bfa1991551b18e71ca8b50ae4

SHA512
c18ca636581f826d3b9c0c6c13681b7fc9567b599338b7558f9931acd8122112052d9ad377e5c4aabfee5d05c21ff1a94b3b2c09b6567ffa57f2cbfea5770844

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
236KB

MD5
78788fddef428a73500fe450d8880420

SHA1
1ecd643b6c413a8a866ecd8f533eec07ae5369b9

SHA256
d88f7658bcce871dc8e0fbabb4b099c79561354b06ab9a44a2f74d19c6b0223a

SHA512
fe6ab5deef0f28ce68ece15bfc827572e7b70cae97d1ede593f22b59d4f28b502788de24ede9c57f8df4622588a3c5ca18915994ec63a3b4f55e7e1fd4715376

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
45KB

MD5
30fc985ba8ad6b6c395805976ec3e077

SHA1
682fec1a6cf95005baf52a74318e6f9244f4e151

SHA256
5cd11c6a6a1ac3666c75a46bf042d994febe356053a2482fed5f0ae11e0b04f9

SHA512
0b30a295f612b44a68b2a3c147b2846a7694c78495f6e96c09a8532d33dc5fd2f649f31958e5a00da17a95906d3aa2026d8ec672a8dd3f7f7ab32f1b109865a6

Download Submit
C:\Windows\rss\csrss.exe

Filesize
308KB

MD5
3640940845aa9e857883c2b49ee5fd2e

SHA1
4e639c1d5bb50c64d12e8b1743df44b6ffc87e34

SHA256
cdeb05ea304cd4ae721a30ee29667a4a73de4b41887a76708467e59aeeb39d4e

SHA512
e517b8fd6d4e892113152e4c5a14b5b85e52881c445284d4743970dd3d22a97db0d7e24079cd1ca4f419e86a530b0325e8b2f01ccf338ec14b4c8d9833ad7fd5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
252KB

MD5
b95bd41ced87e4067a80d5573a928b8d

SHA1
8c8c4af10952404746131df3bf3d201132bbebc0

SHA256
c2b4f6df45523ba6c6d59794f14b9c1291e3739f9b089ed87833bb3c9e33095d

SHA512
5bb4751151a07a721372322f08dc29035fd4c433628f8a696a17d4a257936a69dbaecf94343bd6f71ba49305bfe21f47bb4401680efd6a4444bb729f64900fa9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
102KB

MD5
bfbcd757c3be656b6addcf50c3f4e227

SHA1
76b2da95320b0a3f966aa250a8bd6f2a192ac426

SHA256
9a2115034419dde30d3dedfd2fc30033f3a80287b2164a0c0979dceddb2fc33c

SHA512
fa14dbadf9689a4195868c8f94c101b6a281ba56ff4298a72f5fdb1171abc1c0d8b536f871c06be3ace1925375120de1827bd0a42753babc5d3161da3e77ac88

Download Submit
C:\Windows\windefender.exe

Filesize
56KB

MD5
1df412a416412b37ab371b5e4882b37b

SHA1
30b858ba48e40ae658049c0d73aaab0c6e678e50

SHA256
ceb63e95e98713be83ee0a77eeb9918dd9d9a5f44fd5851d6b6298d2f19e067f

SHA512
e902fe0042cf210d54a3ad18b28de86e8c7b8dc0a9c5da571dd8031ea5608e4ff4a9f9db0d746481a667a3914d09b232fcff8301e383b19c74f80dee0584c8d4

Download Submit
C:\Windows\windefender.exe

Filesize
146KB

MD5
d695dcbeef99961668606b95fb0cf1b3

SHA1
f28efdd797cf43d56a1a53d45078274e1445f7e0

SHA256
811d447fa4835f1541554ab4e48e519dd33ca3bfdf9e3939ac2682a25f988df7

SHA512
1aea5a68315dbea75c360c8bf8a6f5da263a48ecf0892b628751cb5e284d6f82a5fb5579c1d6efdc18b37f417bae0dfce74528d2398e22c11a1654318dc6c064

Download Submit
C:\Windows\windefender.exe

Filesize
294KB

MD5
31cc5226abf55f755a3dc2302f4b79e8

SHA1
a504b394af0fe374fdf8172ed562526a71e1d020

SHA256
89c563472a22094c05bb906ad89e90e98fb0e5173f7450cc02bb3b47de35b764

SHA512
76775865fc73b9193a34dcc725bc3dbc8e44bfa4009dea677f24e0541ac310e299585470b6a7ea127c3be0d836e05067b0d9af73f0d00c2ccfd1c4ef94bcee3c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
395KB

MD5
ee38a6f92cef852619fcc4729f7ea3ba

SHA1
157e97d09566586f8a9c6eb5d16be2216f7705fd

SHA256
eaaba1cd0315f0e347f5c426d070fd52dae00f11b8f2fd3a271069e838bbe88e

SHA512
560785b39e1a4b02e648e6f3f9ade115c4dda171d443b8dbe5fd5790f3fcdaeaceb5acb14ae65ccae1d7b533575277bfdd5fb9c69634654869e532628ee5ce7a

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
126KB

MD5
920a5b31513b5aabe40137f255dda293

SHA1
5f0ce33c81b7dcc941fde7eed1833d3bc21b0d14

SHA256
d2ce55b09afcf3ab1df85274ffd0c0b8f5bdd736476b518293bbbf46680a0f1d

SHA512
c48684ca1a4ab545141ad38f35281c3e9f18df8b7706081bce8f6af06ccaa73f00fd9708fdd3c4581fe428eb3f95352c9a258e7b0a7690b22a664bc2e6e08888

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
431KB

MD5
3e6026d0abbd9f66b821798f210ff61f

SHA1
39e860832435c120ad686e54d6a47eac74157b97

SHA256
ddcc9b9ed05d9db7081a09308aaf9d7a467f1a000b306451559e17d5f73134ae

SHA512
5bf5dae7e7311e18d689356960a691c11014c40eb8baf5a244cb2908ecda68ca15aa4dd9efe712a38ec452d5541487d36d7e94abefe3bdeb6ebb10143a66b145

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
337KB

MD5
4c80924b694c5e4b5ce0c8801fd6fe99

SHA1
f5b97900f53cfa370190a8d8971296f263058896

SHA256
d2c249707f5c11b8ee9f98e22cb45c62de4a250e657fd2d2c02ea740f0d31774

SHA512
a35bc0b92886f591b4154ebb5b3ab4fa26d59c8f23260f627af83ffa70e1eadbdcb24183a30f50eb0f145f517e710f736a0d687b120775ae94493eac992257af

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
361KB

MD5
3f1eeabaf7aa5e0f378f188dad39d72f

SHA1
415c545e7f603dcb2f4cc537716201952f032b6d

SHA256
346a3795b182dd128fce7e2db1854eb6a8b5b7867217a1968d8ea49c885592b1

SHA512
d93e432f5370ba64717e0dc50056f1cbd54968bca7fb7b8e83eb6842828e234a32fe633b40150ff7e34f94a645724dac86fd5eba5aa47ccd30c5ec10623f963b

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
512KB

MD5
0791ad03b5d71e572fdcda613e60f59d

SHA1
5960ad5786117d07e21990339a62dd5c52ab19a8

SHA256
3fe0965e9006310a4816391b26fd4502bdfb8d1f8909b4ec876fc53875185437

SHA512
8d4154090d776905500121929266b54d5e96b7379bfc1fe134e7f70112dd9d8f1d184077cd5c5dfe97e6710b1ad0aa169710794bde70d4827dc1f6c4b9233f1b

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
509KB

MD5
34dbf8657bc270de5b2ee45339c4d2b5

SHA1
94ee80022605ff85ad08b65ceefb3020c435b8ae

SHA256
faf3789f5fe381144256ec5a27127b1f1f7f5aa1a526158955531a0fd32dc239

SHA512
e2152f088f96fec7df1e87a1d4623a88aa5d5cf3fc69e535af8f4f8820051f9e902c3343db386cda07085bf7be3347f92dfd544628c27bd73fac1f42cb857b41

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
296KB

MD5
5a815cc8f75c5ee0a565db5c8f131068

SHA1
374f191dfd4a9f967c6e6a7183a88aba81d7f357

SHA256
f7c488a079b6fb2cea442ec7fb23189dab301abc30f21e6249ac3d8586c0e254

SHA512
d1e495ea86c6474529a7a78cb1a444eaf6ed8eae48d194dd10d6a853ff47723b0e9318abe9dc3ce8a9516f29b0e089414748f2f3c8b531f62d4e60260f60bffe

Download Submit
\Windows\rss\csrss.exe

Filesize
281KB

MD5
d5a4725405dfcde6468edc4453d3333a

SHA1
d731750ce7a4d9781c8efd58a878672c4c6b7a28

SHA256
20db80d2f2ab6975977b5acd9a1f1d3f7fa8d4797a814fa2eb16a781aeea7e1b

SHA512
941fa7a72d7da4bd2a45425c8a8017652cb832afc7890ebde6de3d48c00165ca340e3c411767a7e6ee1ffcc72444fafcf38f13f8a4e1703ec7da0fdc11b2ce01

Download Submit
memory/1212-4-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1212-1-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1212-2-0x00000000029D0000-0x00000000032BB000-memory.dmp

Filesize
8.9MB

Download
memory/1212-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1212-5-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1212-6-0x00000000029D0000-0x00000000032BB000-memory.dmp

Filesize
8.9MB

Download
memory/1212-0-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1476-47-0x00000000005B0000-0x0000000000B98000-memory.dmp

Filesize
5.9MB

Download
memory/1476-55-0x00000000005B0000-0x0000000000B98000-memory.dmp

Filesize
5.9MB

Download
memory/1764-149-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1764-147-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1764-153-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2552-110-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-176-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-33-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/2552-196-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-111-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-107-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/2552-106-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-192-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-188-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-186-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-148-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-25-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/2552-150-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-152-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-34-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-154-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-156-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-160-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-164-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-168-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-178-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2552-180-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2604-7-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2604-20-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2604-19-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2604-10-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2604-9-0x0000000002A10000-0x00000000032FB000-memory.dmp

Filesize
8.9MB

Download
memory/2604-8-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2840-146-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2840-143-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download