glupteba | bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882

Analysis

max time kernel
299s
max time network
282s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Size

4.1MB
MD5

bf257d2f4103b21c7f14bad1a61353ec
SHA1

7d9c7dac58f6057957ad032d8c057debafd8e62e
SHA256

bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882
SHA512

d4ba7fbde1d53f01263f2c65514732026f434ec2e461fd8fb7a2398c52b8d25edc047b2b45595bb14d5e4e761e52842b88b0f093406741d9ad078a68c5e07363
SSDEEP

98304:7yGuBgAwnQem+Uql0Dgxel+ktF5CaAW9LUaE13xxYjoS:buenwlERxel3qa4VhxIz

Score

10^/10

glupteba discovery dropper evasion loader persistence ransomware rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 38 IoCs

resource	yara_rule
behavioral1/memory/2184-2-0x0000000003B00000-0x00000000043EB000-memory.dmp	family_glupteba
behavioral1/memory/2184-3-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2184-4-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2448-9-0x0000000003BE0000-0x00000000044CB000-memory.dmp	family_glupteba
behavioral1/memory/2184-8-0x0000000003B00000-0x00000000043EB000-memory.dmp	family_glupteba
behavioral1/memory/2448-10-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2448-19-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-24-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-108-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-119-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-120-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-149-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-158-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-159-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-161-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-163-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-166-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-167-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-169-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-171-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-173-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-176-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-177-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-179-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-181-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-184-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-185-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-187-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-189-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-191-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-194-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-195-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-197-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-199-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-201-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-204-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-205-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba
behavioral1/memory/2512-207-0x0000000000400000-0x0000000001E0F000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2988	bcdedit.exe
2856	bcdedit.exe
2072	bcdedit.exe
2368	bcdedit.exe
768	bcdedit.exe
1504	bcdedit.exe
2212	bcdedit.exe
1256	bcdedit.exe
3004	bcdedit.exe
2208	bcdedit.exe
1652	bcdedit.exe
916	bcdedit.exe
2860	bcdedit.exe
2132	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2440	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 6 IoCs

pid	Process
2512	csrss.exe
2408	patch.exe
2872	injector.exe
1572	dsefix.exe
2612	windefender.exe
2928	windefender.exe

Loads dropped DLL 13 IoCs

pid	Process
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
860	Process not Found
2408	patch.exe
2408	patch.exe
2408	patch.exe
2408	patch.exe
2408	patch.exe
2512	csrss.exe
2408	patch.exe
2408	patch.exe
2408	patch.exe
2512	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001875a-152.dat	upx
behavioral1/memory/2612-153-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x000700000001875a-154.dat	upx
behavioral1/files/0x000700000001875a-155.dat	upx
behavioral1/memory/2928-157-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2612-156-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2928-160-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2928-164-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
File created	C:\Windows\rss\csrss.exe	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240229050257.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2528	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2652	schtasks.exe
2436	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2512	csrss.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2512	csrss.exe
2872	injector.exe
2512	csrss.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe
2872	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Token: SeImpersonatePrivilege	2184	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
Token: SeSystemEnvironmentPrivilege	2512	csrss.exe
Token: SeSecurityPrivilege	2528	sc.exe
Token: SeSecurityPrivilege	2528	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2484	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	35
PID 2448 wrote to memory of 2484	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	35
PID 2448 wrote to memory of 2484	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	35
PID 2448 wrote to memory of 2484	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	35
PID 2484 wrote to memory of 2440	2484	cmd.exe	34
PID 2484 wrote to memory of 2440	2484	cmd.exe	34
PID 2484 wrote to memory of 2440	2484	cmd.exe	34
PID 2448 wrote to memory of 2512	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	36
PID 2448 wrote to memory of 2512	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	36
PID 2448 wrote to memory of 2512	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	36
PID 2448 wrote to memory of 2512	2448	bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe	36
PID 2512 wrote to memory of 2872	2512	csrss.exe	44
PID 2512 wrote to memory of 2872	2512	csrss.exe	44
PID 2512 wrote to memory of 2872	2512	csrss.exe	44
PID 2512 wrote to memory of 2872	2512	csrss.exe	44
PID 2408 wrote to memory of 2132	2408	patch.exe	75
PID 2408 wrote to memory of 2132	2408	patch.exe	75
PID 2408 wrote to memory of 2132	2408	patch.exe	75
PID 2408 wrote to memory of 2860	2408	patch.exe	73
PID 2408 wrote to memory of 2860	2408	patch.exe	73
PID 2408 wrote to memory of 2860	2408	patch.exe	73
PID 2408 wrote to memory of 916	2408	patch.exe	71
PID 2408 wrote to memory of 916	2408	patch.exe	71
PID 2408 wrote to memory of 916	2408	patch.exe	71
PID 2408 wrote to memory of 1652	2408	patch.exe	69
PID 2408 wrote to memory of 1652	2408	patch.exe	69
PID 2408 wrote to memory of 1652	2408	patch.exe	69
PID 2408 wrote to memory of 2988	2408	patch.exe	46
PID 2408 wrote to memory of 2988	2408	patch.exe	46
PID 2408 wrote to memory of 2988	2408	patch.exe	46
PID 2408 wrote to memory of 2208	2408	patch.exe	66
PID 2408 wrote to memory of 2208	2408	patch.exe	66
PID 2408 wrote to memory of 2208	2408	patch.exe	66
PID 2408 wrote to memory of 2856	2408	patch.exe	48
PID 2408 wrote to memory of 2856	2408	patch.exe	48
PID 2408 wrote to memory of 2856	2408	patch.exe	48
PID 2408 wrote to memory of 2072	2408	patch.exe	50
PID 2408 wrote to memory of 2072	2408	patch.exe	50
PID 2408 wrote to memory of 2072	2408	patch.exe	50
PID 2408 wrote to memory of 3004	2408	patch.exe	64
PID 2408 wrote to memory of 3004	2408	patch.exe	64
PID 2408 wrote to memory of 3004	2408	patch.exe	64
PID 2408 wrote to memory of 1256	2408	patch.exe	62
PID 2408 wrote to memory of 1256	2408	patch.exe	62
PID 2408 wrote to memory of 1256	2408	patch.exe	62
PID 2408 wrote to memory of 2212	2408	patch.exe	60
PID 2408 wrote to memory of 2212	2408	patch.exe	60
PID 2408 wrote to memory of 2212	2408	patch.exe	60
PID 2408 wrote to memory of 1504	2408	patch.exe	58
PID 2408 wrote to memory of 1504	2408	patch.exe	58
PID 2408 wrote to memory of 1504	2408	patch.exe	58
PID 2408 wrote to memory of 768	2408	patch.exe	56
PID 2408 wrote to memory of 768	2408	patch.exe	56
PID 2408 wrote to memory of 768	2408	patch.exe	56
PID 2512 wrote to memory of 2368	2512	csrss.exe	54
PID 2512 wrote to memory of 2368	2512	csrss.exe	54
PID 2512 wrote to memory of 2368	2512	csrss.exe	54
PID 2512 wrote to memory of 2368	2512	csrss.exe	54
PID 2512 wrote to memory of 1572	2512	csrss.exe	52
PID 2512 wrote to memory of 1572	2512	csrss.exe	52
PID 2512 wrote to memory of 1572	2512	csrss.exe	52
PID 2512 wrote to memory of 1572	2512	csrss.exe	52
PID 2612 wrote to memory of 1540	2612	windefender.exe	81
PID 2612 wrote to memory of 1540	2612	windefender.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
"C:\Users\Admin\AppData\Local\Temp\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
- C:\Users\Admin\AppData\Local\Temp\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe
  "C:\Users\Admin\AppData\Local\Temp\bfb53e5751a438d100dd7f12155182b7b180332e87e8ec4b1325aa34fa10f882.exe"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2484
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Manipulates WinMon driver.
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2988
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2856
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2072
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:768
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1504
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2212
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1256
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3004
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2208
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1652
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:916
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2860
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2132
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      Executes dropped EXE
      PID:1572
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2368
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2436
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240229050257.log C:\Windows\Logs\CBS\CbsPersist_20240229050257.cab
1⤵
- Drops file in Windows directory
PID:2700

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2440

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34A9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
449KB

MD5
6a36d47c8cedf70824bde6b600555827

SHA1
5c9f6d28ff13390cfdf7b3b93e2896d0d33f13ba

SHA256
474ebac2deb37d5001b87ccc29cad2538f428f924932f439145efec2518fc306

SHA512
5350896891f38d865405cab2cd3c51c067ddce251cb4d8396c7f734c37a28a5b900896e9507bf3a78d3b7fb35e6c59429a676fa9df2d196e26dbab330cfdddce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
99KB

MD5
f6ea0dcea935967ebabd586aee034126

SHA1
cb8b4d8eb96f1cc4302724955594d71b17063f25

SHA256
4a14814c718e2bcce6992e7860f5f1186714fc60780b874678d2d6407e722be7

SHA512
136cdcd4429c71f556f76396c3bc37b7f83e8e56ec787648c280fdb3267e17f7bc98e2aadc17a5c5e4cb07c7b5654c9d62a68c99c14a3d1fee1e827b988ad379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3655.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
166KB

MD5
9ae1c0ee4e9e7ec7e6765cc2f3472fb2

SHA1
183be68e5ceb77b6af93cdb4e815692d16c5cafb

SHA256
254987dcd929bb0f5031cae20c894a32f9ee51cb5ecb59722a6fc177bcb79c77

SHA512
623d02b78618c15ada4c37d29173417e25f6f814ceda55778512bfb4a9373fde75ea96c733b7620d1050d765d6693fdca409745bd84676efc3b8dabe24d7b0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
197KB

MD5
82c34fd93c2200b4d3d6d622dc564001

SHA1
98810c1c641be536a5d3bfdd3b7636899d03fee8

SHA256
f7e9584611434e41e4993bfed4862015888589d98c7d98c0638be098d9fafff4

SHA512
5d0f08a4cb2226dbeb1137cff682623c906aeafb7b0bdf65bceb2ef900662c0fb592bea1ebdb9c6bbfee5ea135faf45028e510bdc450d09b1fbf1badb7ca4079

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
151KB

MD5
c1d0fa20150163b66d933068d5c5568d

SHA1
cbf9992e3a8aa6719fc656b85917ba30ee70fad0

SHA256
30b3a2efb0b4c199e8a124ee85ac9ec6e9b6888605a3d694108ca933a0d67a0d

SHA512
3a76ab136c0d564cf38dddb1201661598983b22a1ee45d7133f8dfe751c5c1a728cb21782398c92135ecac60c97fd837cbd31ee93fe32b260bc7546bf41444c8

Download Submit
C:\Windows\rss\csrss.exe

Filesize
855KB

MD5
2c87682850eb598b671abeae97aec3d1

SHA1
be95bf2f0d022a82ecf7ecb7ef4b8d9e2e031e15

SHA256
3a68834190b30291439006b077b1eeb15e174fbe45be600abade9c5daf83e3b5

SHA512
9127c082db1bf9cbb1d540042c5ec3ccd6cb1301f7aca7bd50164a59506ab9a4b25d3e0f0cd17b1986a13731c3d31f920b921c8b2c8505d4e88689b8307b9924

Download Submit
C:\Windows\rss\csrss.exe

Filesize
826KB

MD5
20768eb56eaad19daf7fac415af21090

SHA1
c13783f8ee3f8f89a53f5117b16dcebe663b59a5

SHA256
84b8366f646033236173fb8bc88f144789ea7bbcbf0f99b8c3f8896e44449abc

SHA512
60b01d6bf97ceeb51e32e0ae32e46ac69745f291127b9d772cc1931f7d46169d518a9a53c3d0caefff57084ede6eebb2ddf01cde2cf1eafb28ab5ebc91f1cf72

Download Submit
C:\Windows\rss\csrss.exe

Filesize
344KB

MD5
e9fdbba6cc78df9147fc85f2efe1f63a

SHA1
5b84854604392ba31005e04fd1df55b84e42b922

SHA256
37e181816ac42498b16b80131a2e1d2836a90ced0aee80f1ba99e7e259332b85

SHA512
de2fbbd9ecf14c193322742104f19092d015b6762ee2f812b388e64c1b264c0b6293e8a9e92d43f974f8b53980e6b0f3a2f3f5c7c74763cb8886d030e0abb011

Download Submit
C:\Windows\windefender.exe

Filesize
237KB

MD5
7786befd9131af5fab5ca9b2ae1c28c0

SHA1
a409f3eb2893540d5a3c11c6ffc4d9b6518b662d

SHA256
371d683f503690ad1ef1cd64aa1ff70a6ca565437a6495c311e1de430e28880e

SHA512
95c535564150998b3da4c93c5556c3a15d250b327e8b0056955908ba375b21494cf120be9bbad8773d04e2570d3ab8b60e1cf2f1ca15c63176fbb1c8eee98182

Download Submit
C:\Windows\windefender.exe

Filesize
488KB

MD5
28f862737f21f73793b65a9058a5ef6f

SHA1
39d300d17b60df6b1c737d7b973e460ebe7c8365

SHA256
fd7a88f634d50e68f0112f519f4c27078aff9b15a796886c559453fd767c32f6

SHA512
cc56ad08f38b2a60664917f9adf693bc67bcff5681093dc0193e373d9e809f1ea2c78aa7e72ae9b255451b1c4df69cf03762b43a2d617bb61a0e180bf4eba4a8

Download Submit
C:\Windows\windefender.exe

Filesize
328KB

MD5
f21a0fc60cd73fffb7cd7a2c381fab34

SHA1
3e239c907223eeccdfb9801143b2a56ec4b7361a

SHA256
fc4c72c2f18a30226fdc2b5caa90c92092fa450b3056b34b850bcd4ea9f0cbbc

SHA512
7ee07cc2483b72afbf1590fa9cd1b1bc4ffe991c5ee2bf324543516601e349aa6e04eef95dded47102bb7aff6a99068cc3a72d663047d4db8c780b91737d4af0

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
219KB

MD5
1ca335eca90f7b774ea854886303793a

SHA1
5b52e7bed87ca702df405e46a9bd7b2610ecfc59

SHA256
08de3b83fd2c0f89bbbcf7537eaba9122e13cb7e29a8010b8b080fb9c2cd2493

SHA512
9158da70d6385ad69a626a353b0ddf760159b41e0523d16c8dd57a8368025ae84916b8103019e342101b6cce24ae8b369fd347fcfe8bef40e5296148808e9faa

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
89KB

MD5
2ccfe7d98252df75dcbc9b37ad54f90b

SHA1
24b56c44ad9e3b07c9b54f292592719d3100f0da

SHA256
319a697c9681262a3630389f55650318e8f540846bdc50637b606ba1d232753a

SHA512
47b6d90f4c48670370d7e8d0ba0a614fd8d83ae18c811d94859b7c4aee4954ad4c831e13986a12c3cd60a67d0739b07b84d1e2ecbc483ed1617d8100a162396f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
146KB

MD5
6d6078fce61d0386514c8a0885a35327

SHA1
385d8ed5bdc9afdfce79a2369300ab15d5778fe4

SHA256
a29be1ab914a436ab594292e611911dda91bb3cdb9b9a9899a8556f3c05a2ac1

SHA512
b8615218c202bb90bf0aef1b4d1815f62d24de862e65bb33b9c438f01a30431deb093d0913f740e0faab3b5dbde92517daef0e1ca6b796131fb6d967e1affc99

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
58KB

MD5
b8933d84d4e33748c1439b873340fe64

SHA1
574f772511b350dd77b090cb94f6b420b11b8fcb

SHA256
8bb163b15e7f535f1280f133046272fa1f68b74848c440c3258ceccc0048a316

SHA512
5655dd76a93ad6df9b054715b2e46e4660113a2ce64a46e341e4abd9dd0a00877ff2b85f97f03cb18477f6bae750f16e0968c77cf13de6da6161013643619ea1

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
189KB

MD5
d0f54756f13c9690ed6a03c822b69544

SHA1
b4dcebcdfbfefff97ef7068ce696badff55242d9

SHA256
aa171e187b86c622e9f67629623795922dba3aae44240b974e1ae60727d028ae

SHA512
57709a16376390f1a86e2cb9f43833bf0ed3e9ed364b16ff40e640e0e4d7c5745f8b02b870cf1f45b435c24c05fdaa5a56caec12dea87b558c9411f9687450c7

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
185KB

MD5
1bbfe8e8855ed2244d3effe1b6de6f2d

SHA1
c45ad8426dea288c3dd452dfa71b5ff4dd70ac82

SHA256
ea0d3f57c09b6926615364d62d6e3625d4e4fd6e038e8546c9ec9765c2ff28c9

SHA512
5606b8da766ae2a0e783cc7250839fc15d1909c99c965f15cb1b1cc98e284e63bd78f4d48f9da8456a9b582c557da0729da4e25972f48ce26daa3e9b27487c72

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
173KB

MD5
4293be9ec39b0da9ad0d931ea78ed5c0

SHA1
5d829c1a6a54116d45df17fc4ed2668f21114060

SHA256
c893115ce84a5cffe3e11df6dc03830ef923923b65d987fd775481848945546f

SHA512
ea575c00a640b69def48f5f40298eab52508fe8312d644579d35f495d0088a6a4299828360ef1f0231fb21f0e13184e5bdc8e96ce6393126cdd4b7140318ac3b

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
145KB

MD5
a8c379e29677cfdc17878259ecbd573f

SHA1
7ff06106d35d3d9d338b5f0907e7542084640df7

SHA256
12c3d9b95df3740c2df5f50d264b8dec18954d8f988c61c89f9ca0f6d1a381cb

SHA512
da54f9d2b76d5216ad92e4993d056da9772983fcf7adb2fbf9bd5d931230ba0de8a418fa2eaf539881ad5725495bfd991d1c29468b64bb76735bac2548655a9f

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
65KB

MD5
96cfe1352f21588f66b2a61b8143b979

SHA1
758d46cd67ac59b02a8c2fb36c204c6e0949e633

SHA256
347e22ccc9a4fba9c66c32689b66aa5f139381cbbd72358e43dc465ce828a2b6

SHA512
336223fa535892a5ef96107ecbfc477ce4560bc20a20eba1ce195432afba023ec3f25c2573e4894a315318d898acc8c008ccfbd6717e3f13886a2d3a38c6fda1

Download Submit
\Windows\rss\csrss.exe

Filesize
1.0MB

MD5
27346b197a8d13135cbef4ad13c0a191

SHA1
5f5f5270154a3efec04b2594b89f3bc487023a63

SHA256
6e49a05c09875f31f2b1f53c948187c303bd51b1eac4494979a72eca5e8808b4

SHA512
b5a95bf03e23537c1c589d7aa18c7cf247fbd539949b3cf19abfc3eb90e71527c0a48a3b30cd7a4245b73222d63c1cc12e93cbc63cdce6e96a58bee378fd64e3

Download Submit
memory/2184-3-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2184-8-0x0000000003B00000-0x00000000043EB000-memory.dmp

Filesize
8.9MB

Download
memory/2184-0-0x0000000003700000-0x0000000003AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2184-6-0x0000000003700000-0x0000000003AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2184-2-0x0000000003B00000-0x00000000043EB000-memory.dmp

Filesize
8.9MB

Download
memory/2184-1-0x0000000003700000-0x0000000003AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2184-4-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2408-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2408-30-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2448-7-0x00000000037E0000-0x0000000003BD8000-memory.dmp

Filesize
4.0MB

Download
memory/2448-5-0x00000000037E0000-0x0000000003BD8000-memory.dmp

Filesize
4.0MB

Download
memory/2448-10-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2448-9-0x0000000003BE0000-0x00000000044CB000-memory.dmp

Filesize
8.9MB

Download
memory/2448-19-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2448-21-0x00000000037E0000-0x0000000003BD8000-memory.dmp

Filesize
4.0MB

Download
memory/2512-179-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-171-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-119-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-149-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-108-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-207-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-20-0x0000000003600000-0x00000000039F8000-memory.dmp

Filesize
4.0MB

Download
memory/2512-22-0x0000000003600000-0x00000000039F8000-memory.dmp

Filesize
4.0MB

Download
memory/2512-205-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-204-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-158-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-201-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-159-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-161-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-163-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-199-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-166-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-167-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-169-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-120-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-173-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-176-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-177-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-24-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-181-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-184-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-185-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-187-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-189-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-191-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-194-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-195-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2512-197-0x0000000000400000-0x0000000001E0F000-memory.dmp

Filesize
26.1MB

Download
memory/2612-156-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2612-153-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2928-164-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2928-160-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2928-157-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download