fabookie | 3195334294fd75b18e9c0bc593335290b73dcc315d5c25157f2a3225eb595bad

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

15.7MB
MD5

2c3db571085a0f88cd336201868ede9c
SHA1

26f219c2369c8c4c8ad8e658fa907f73078e274c
SHA256

c9a4ba85ca3416b83d174844eba1c0aeb8b55d316a68e8d6cf7a732b9c14c2fd
SHA512

34d874cd8e1b5567ba9585cdeec5cf80e35475f1f8880194f09cf2005d3f9153b76ffaa5cd6f830b99ef472b9db37546358118bf3dd0f92933662067876dd65d
SSDEEP

393216:x0dgO1ueIzjGEbRXnABu6K06JG+EmsZiaWAuTT5qS:adg2rIPnbRXAQ0lTZVWAuTV3

Score

10^/10

fabookie glupteba nullmixer privateloader raccoon socelars efc20640b4b1564934471e6297b87d8657db774a aspackv2 discovery dropper evasion execution loader persistence privilege_escalation rootkit spyware stealer

Malware Config

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://212.193.30.29/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

212.192.241.62

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

efc20640b4b1564934471e6297b87d8657db774a

Attributes

url4cnc
http://91.219.236.162/jredmankun

http://185.163.47.176/jredmankun

http://193.38.54.238/jredmankun

http://74.119.192.122/jredmankun

http://91.219.236.240/jredmankun

https://t.me/jredmankun

rc4.plain

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b88-92.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Glupteba family
glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral4/memory/1548-224-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4944-229-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-237-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-240-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-275-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-278-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-281-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-284-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-287-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-290-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-293-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-296-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-299-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-302-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba
behavioral4/memory/4768-305-0x0000000000400000-0x0000000000C36000-memory.dmp	family_glupteba

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

resource	yara_rule
behavioral4/memory/2096-246-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b82-97.dat	family_socelars

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral4/files/0x000a000000023b88-92.dat	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral4/files/0x000a000000023b88-92.dat	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
116	powershell.exe
2888	powershell.exe
2004	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2096	netsh.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000a000000023b7c-69.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b79-64.dat	aspack_v212_v242
behavioral4/files/0x000a000000023b7a-62.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Sun15b94526a807b.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Sun15a8461882.exe

Executes dropped EXE 13 IoCs

pid	Process
1784	setup_install.exe
1548	Sun1585e1028b0.exe
1876	Sun15a8461882.exe
1544	Sun15e81af69f990d3a6.exe
2396	Sun15c4c762b69ba5.exe
4308	Sun15b94526a807b.exe
2660	Sun15b94526a807b.tmp
1952	Sun15b94526a807b.exe
2568	Sun15b94526a807b.tmp
4944	Sun1585e1028b0.exe
4768	csrss.exe
916	injector.exe
2096	Sun15a8461882.exe

Loads dropped DLL 7 IoCs

pid	Process
1784	setup_install.exe
1784	setup_install.exe
1784	setup_install.exe
1784	setup_install.exe
1784	setup_install.exe
2660	Sun15b94526a807b.tmp
2568	Sun15b94526a807b.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Sun1585e1028b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 2096	1876	Sun15a8461882.exe	157

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Sun1585e1028b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	Sun1585e1028b0.exe
File created	C:\Windows\rss\csrss.exe	Sun1585e1028b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4492	1544	WerFault.exe
1576	2396	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15a8461882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15b94526a807b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun1585e1028b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15c4c762b69ba5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15b94526a807b.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun1585e1028b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15a8461882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15e81af69f990d3a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15b94526a807b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sun15b94526a807b.tmp

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15c4c762b69ba5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15c4c762b69ba5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15c4c762b69ba5.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3160	schtasks.exe
4516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	powershell.exe
2888	powershell.exe
2004	powershell.exe
2004	powershell.exe
2888	powershell.exe
2004	powershell.exe
1548	Sun1585e1028b0.exe
1548	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
4944	Sun1585e1028b0.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
4768	csrss.exe
4768	csrss.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
916	injector.exe
116	powershell.exe
116	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1548	Sun1585e1028b0.exe
Token: SeImpersonatePrivilege	1548	Sun1585e1028b0.exe
Token: SeSystemEnvironmentPrivilege	4768	csrss.exe
Token: SeDebugPrivilege	116	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1784	1648	setup_installer.exe	86
PID 1648 wrote to memory of 1784	1648	setup_installer.exe	86
PID 1648 wrote to memory of 1784	1648	setup_installer.exe	86
PID 1784 wrote to memory of 4728	1784	setup_install.exe	89
PID 1784 wrote to memory of 4728	1784	setup_install.exe	89
PID 1784 wrote to memory of 4728	1784	setup_install.exe	89
PID 1784 wrote to memory of 3628	1784	setup_install.exe	90
PID 1784 wrote to memory of 3628	1784	setup_install.exe	90
PID 1784 wrote to memory of 3628	1784	setup_install.exe	90
PID 3628 wrote to memory of 2888	3628	cmd.exe	92
PID 3628 wrote to memory of 2888	3628	cmd.exe	92
PID 3628 wrote to memory of 2888	3628	cmd.exe	92
PID 4728 wrote to memory of 2004	4728	cmd.exe	91
PID 4728 wrote to memory of 2004	4728	cmd.exe	91
PID 4728 wrote to memory of 2004	4728	cmd.exe	91
PID 1784 wrote to memory of 900	1784	setup_install.exe	93
PID 1784 wrote to memory of 900	1784	setup_install.exe	93
PID 1784 wrote to memory of 900	1784	setup_install.exe	93
PID 1784 wrote to memory of 4916	1784	setup_install.exe	94
PID 1784 wrote to memory of 4916	1784	setup_install.exe	94
PID 1784 wrote to memory of 4916	1784	setup_install.exe	94
PID 1784 wrote to memory of 344	1784	setup_install.exe	95
PID 1784 wrote to memory of 344	1784	setup_install.exe	95
PID 1784 wrote to memory of 344	1784	setup_install.exe	95
PID 1784 wrote to memory of 688	1784	setup_install.exe	96
PID 1784 wrote to memory of 688	1784	setup_install.exe	96
PID 1784 wrote to memory of 688	1784	setup_install.exe	96
PID 1784 wrote to memory of 5072	1784	setup_install.exe	97
PID 1784 wrote to memory of 5072	1784	setup_install.exe	97
PID 1784 wrote to memory of 5072	1784	setup_install.exe	97
PID 1784 wrote to memory of 2348	1784	setup_install.exe	98
PID 1784 wrote to memory of 2348	1784	setup_install.exe	98
PID 1784 wrote to memory of 2348	1784	setup_install.exe	98
PID 1784 wrote to memory of 1740	1784	setup_install.exe	99
PID 1784 wrote to memory of 1740	1784	setup_install.exe	99
PID 1784 wrote to memory of 1740	1784	setup_install.exe	99
PID 1784 wrote to memory of 3328	1784	setup_install.exe	100
PID 1784 wrote to memory of 3328	1784	setup_install.exe	100
PID 1784 wrote to memory of 3328	1784	setup_install.exe	100
PID 1784 wrote to memory of 4156	1784	setup_install.exe	101
PID 1784 wrote to memory of 4156	1784	setup_install.exe	101
PID 1784 wrote to memory of 4156	1784	setup_install.exe	101
PID 1784 wrote to memory of 4188	1784	setup_install.exe	102
PID 1784 wrote to memory of 4188	1784	setup_install.exe	102
PID 1784 wrote to memory of 4188	1784	setup_install.exe	102
PID 1784 wrote to memory of 1088	1784	setup_install.exe	103
PID 1784 wrote to memory of 1088	1784	setup_install.exe	103
PID 1784 wrote to memory of 1088	1784	setup_install.exe	103
PID 1784 wrote to memory of 2688	1784	setup_install.exe	104
PID 1784 wrote to memory of 2688	1784	setup_install.exe	104
PID 1784 wrote to memory of 2688	1784	setup_install.exe	104
PID 1784 wrote to memory of 1532	1784	setup_install.exe	105
PID 1784 wrote to memory of 1532	1784	setup_install.exe	105
PID 1784 wrote to memory of 1532	1784	setup_install.exe	105
PID 1784 wrote to memory of 1716	1784	setup_install.exe	106
PID 1784 wrote to memory of 1716	1784	setup_install.exe	106
PID 1784 wrote to memory of 1716	1784	setup_install.exe	106
PID 1784 wrote to memory of 872	1784	setup_install.exe	107
PID 1784 wrote to memory of 872	1784	setup_install.exe	107
PID 1784 wrote to memory of 872	1784	setup_install.exe	107
PID 1784 wrote to memory of 3488	1784	setup_install.exe	108
PID 1784 wrote to memory of 3488	1784	setup_install.exe	108
PID 1784 wrote to memory of 3488	1784	setup_install.exe	108
PID 1784 wrote to memory of 1080	1784	setup_install.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15a8461882.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15a8461882.exe
      Sun15a8461882.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1876
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15a8461882.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
    - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15a8461882.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15a8461882.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15635943177.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun154ca5fada.exe /mixtwo
    3⤵
    - System Location Discovery: System Language Discovery
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun157e7a96e632.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15168f90478cc7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15591a43f8a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1580e9cd8c23e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15372e8db79ed3d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15b94526a807b.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe
      Sun15b94526a807b.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\is-FH87S.tmp\Sun15b94526a807b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FH87S.tmp\Sun15b94526a807b.tmp" /SL5="$401C0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\is-2JKQ4.tmp\Sun15b94526a807b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2JKQ4.tmp\Sun15b94526a807b.tmp" /SL5="$A01CC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1500b8e65c1f53.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15132bf2c585337a0.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun150e9a93676ff.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15c4c762b69ba5.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15c4c762b69ba5.exe
      Sun15c4c762b69ba5.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:2396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 360
        5⤵
        Program crash
        
        PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1524d92394d.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun156aa32cae4a.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun15e81af69f990d3a6.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15e81af69f990d3a6.exe
      Sun15e81af69f990d3a6.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 408
        5⤵
        Program crash
        
        PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1515dbfc0edab0.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1585e1028b0.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1585e1028b0.exe
      Sun1585e1028b0.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1585e1028b0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1585e1028b0.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1480
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2096
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /306-306
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun156d9ca8467.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun1507dd11d509.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 1544
1⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2396 -ip 2396
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
4febbed712a0c1b0f50f37ae1c0c12d6

SHA1
efffb5747f8b71f02d9eb655f45f6917eb8a7d9e

SHA256
6a37ea10fe94c2e3e3ea4f2e8bb0f4ab049d606b6e75cb4c85dd14b5d624a10f

SHA512
c016819387a1089e58d61d0d3f615b3ccddb17df855419d9d4166c2647c6c44f6c6f5c45a6ce4a7b70d1a56d43d9365795e4514d5a160a8985ebb434b46fa622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1500b8e65c1f53.exe

Filesize
1.7MB

MD5
23a1ebcc1aa065546e0628bed9c6b621

SHA1
d8e8a400990af811810f5a7aea23f27e3b099aad

SHA256
9615e9c718ebdfae25e1424363210f252003cf2bc41bffdd620647fc63cd817a

SHA512
8942ce8c005f423d290220f7cc53ee112654428793287c0e330ee3318630845a86afcd9802fe56e540051f8224a71ddf9e4af59ea418469005ba0fbd770989a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1507dd11d509.exe

Filesize
532KB

MD5
43e459f57576305386c2a225bfc0c207

SHA1
13511d3f0d41fe28981961f87c3c29dc1aa46a70

SHA256
fb58f709914380bce2e643aa0f64cd5458cb8b29c8f072cd1645e42947f89787

SHA512
33cbcc6fb73147b7b3f2007be904faf01dc04b0e773bb1cfe6290f141b1f01cb260cd4f3826e30ab8c60d981bcc1b7f60e17ab7146ba32c94c87ac3a2b717207

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun150e9a93676ff.exe

Filesize
426KB

MD5
53759f6f2d4f415a67f64fd445006dd0

SHA1
f8af2bb0056cb578711724dd435185103abf2469

SHA256
7477156f6856ac506c7ca631978c2369e70c759eb65895dfce8ba4cfce608d58

SHA512
6c7cb5d0fb8efc43425dca72711c017971536ed74a7c4fe3e9cc47e63b8fe1f586a762d3c7edcee193250b4693382233720cc7b88fc6ca0f8f14b8769a77a5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15132bf2c585337a0.exe

Filesize
1.4MB

MD5
1f9b3bc156f958523739194cd2733887

SHA1
524816ed7d4616af3137cf6dd48310441efdea3b

SHA256
3e2b6469551fac2d98c0efb1668096a4b247d30a1a0f40b1b2b16c3a78218abd

SHA512
296ce4dffa32bff8b04ad542e55832695c2643426def71aa8b4fc9973691eafb84bbc645abbde3ee96fb8b25322152e9ab68b550bf2f220ec8a38fba5747a16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1515dbfc0edab0.exe

Filesize
738KB

MD5
9c41934cf62aa9c4f27930d13f6f9a0c

SHA1
d8e5284e5cb482abaafaef1b5e522f38294001d2

SHA256
c55a03ca5ef870fd4b4fdf8595892155090f796578f5dd457030094b333d26b0

SHA512
d2c4d6af13557be60cf4df941f3184a5cce9305c1ca7a66c5a998073dbe2e3462a4afce992432075a875ca09297bb5559ccd7bca3e1fe2c59760a675192f49d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15168f90478cc7.exe

Filesize
87KB

MD5
831ec888d8238e49c4371f643fdcaa9e

SHA1
5991867930cc585e201d50e7d76a7afada780f90

SHA256
26ef4111e91e052367a9b8daed46b3684acf8ed665fe1b6bdf751995557fadb9

SHA512
d926bde2f13852fc084ec48e8baf00c36e06644f6d6a59918715752c5f092d7e258cca650d241f3d480713e8085aa1f17897fe9edea4764262c46be653de4609

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1524d92394d.exe

Filesize
753KB

MD5
7362b881ec23ae11d62f50ee2a4b3b4c

SHA1
2ae1c2a39a8f8315380f076ade80028613b15f3e

SHA256
8af8843d8d5492c165ef41a8636f86f104bf1c3108372a0933961810c9032cf2

SHA512
071879a8901c4d0eba2fa886b0a8279f4b9a2e3fbc7434674a07a5a8f3d6a6b87a6dce414d70a12ab94e3050bd3b55e8bfaf8ffea6d24ef6403c70bd4a1c5b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15372e8db79ed3d.exe

Filesize
426KB

MD5
e52d81731d7cd80092fc66e8b1961107

SHA1
a7d04ed11c55b959a6faaaa7683268bc509257b2

SHA256
4b6212f2dbf8eb176019a4748ce864dd04753af4f46c3d6d89d392a5fb007e70

SHA512
69046e90e402156f358efa3baf74337eacd375a767828985ebe94e1b886d5b881e3896d2200c9c9b90abab284d75466bc649b81c9f9e89f040b0db5d301d1977

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun154ca5fada.exe

Filesize
1.1MB

MD5
aa75aa3f07c593b1cd7441f7d8723e14

SHA1
f8e9190ccb6b36474c63ed65a74629ad490f2620

SHA256
af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

SHA512
b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15591a43f8a.exe

Filesize
1.9MB

MD5
c18fd5cf734e7438fb340750cd11c605

SHA1
7a199f1836fdf27932cee19f83c7421ed05e9108

SHA256
36a0dfbe4e1491c2d4b84e06fd4cf17d24e8a770f32618d6951f93db14158bc7

SHA512
d56380274c2d7e2b220dc994600c3edfc1a3511440418fbbc98d718368138d8f388fe337256b9d57b01ca5aad4a5d92d07c1d87ed8a9d03b1d1289b9cfcb27a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15635943177.exe

Filesize
1.5MB

MD5
b0e64f3da02fe0bac5102fe4c0f65c32

SHA1
eaf3e3cb39714a9fae0f1024f81a401aaf412436

SHA256
dbc10a499e0c3bddcfa7266d5cce117343e0d8a164bdaa5d5dbcfee5d5392571

SHA512
579d4ba54a5a41cf2261360f0c009fd3e7b6990499e2366cb6f1eceacb2cc6215f053e780484908211b824711acbea389f3d91de6f40b9e2b6564baedd106805

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun156aa32cae4a.exe

Filesize
1.5MB

MD5
0fef60f3a25ff7257960568315547fc2

SHA1
8143c78b9e2a5e08b8f609794b4c4015631fcb0b

SHA256
c7105cfcf01280ad26bbaa6184675cbd41dac98690b0dcd6d7b46235a9902099

SHA512
d999088ec14b8f2e1aa3a2f63e57488a5fe3d3375370c68c5323a21c59a643633a5080b753e3d69dfafe748dbdfeb6d7fa94bdf5272b4a9501fd3918633ee1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun156d9ca8467.exe

Filesize
1.2MB

MD5
31f859eb06a677bbd744fc0cc7e75dc5

SHA1
273c59023bd4c58a9bc20f2d172a87f1a70b78a5

SHA256
671539883e1cd86422b94e84cc21f3d9737c8327b7a76c4972768248cb26b7e6

SHA512
7d6a611bc76132a170a32fcbe4c3e3b528a90390b612ce2171febea59f1b723dafc0ec9628df50d07a9841561ddb23cdefbf3adcac160da60e337e7f3695e4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun157e7a96e632.exe

Filesize
120KB

MD5
dcde74f81ad6361c53ebdc164879a25c

SHA1
640f7b475864bd266edba226e86672101bf6f5c9

SHA256
cc10c90381719811def4bc31ff3c8e32c483c0eeffcb149df0b071e5a60d517b

SHA512
821b1a05601bbaee21cbd0b3cf2859359795ae55a3df8dea81f1142ede74b52af31273ffbbba772d77e40477853e6b02c9df8c44fc2ddad1cf3d248530427fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1580e9cd8c23e.exe

Filesize
8KB

MD5
88c2669e0bd058696300a9e233961b93

SHA1
fdbdc7399faa62ef2d811053a5053cd5d543a24b

SHA256
4e3c72337ad6ede0f71934734ba639a39949c003d7943cb946ea4173b23fd0b7

SHA512
e159767dbf9ce9cce58ee9ee8f2edeffdc9edcf56253ccd880b5f55014c56e267fdb8fdeb8e18c1bd2285e4a31938053c488ee52722d540352d6093dbe974e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun1585e1028b0.exe

Filesize
3.9MB

MD5
fb8851a1a68d306eb1623bad276012c3

SHA1
33c2e2a59351591807853e58c24edb925e56a216

SHA256
d222076f428d9d190f72e7d6b0373083f2659804fdb2265603aa66efd640ff7e

SHA512
3ad2114d8ebde46e981f7ef261ace24a5a47674987047199d22eeeca82c3dd05aeed9a01ff1e6df11a180c051063c9d55cab09e923e8229e0d08e62b46d99b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15a8461882.exe

Filesize
1.2MB

MD5
4bb6c620715fe25e76d4cca1e68bef89

SHA1
0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80

SHA256
0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051

SHA512
59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15b94526a807b.exe

Filesize
1.5MB

MD5
204801e838e4a29f8270ab0ed7626555

SHA1
6ff2c20dc096eefa8084c97c30d95299880862b0

SHA256
13357a53f4c23bd8ac44790aa1db3233614c981ded62949559f63e841354276a

SHA512
008e6cb08094621bbcadfca32cc611a4a8c78158365e5c81eb58c4e7d5b7e3d36c88b543390120104f1c70c5393b1c1c38c33761cf65736fdf6873648df3fc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15c4c762b69ba5.exe

Filesize
181KB

MD5
480f84b5495d22186ca365cfbfc51594

SHA1
eae7c5ed3b0f729360fdd3879f65367a3d14dd95

SHA256
ab63359f23420ce59260dddb7a1747ff97daf656de360a79e35531032ba26e3f

SHA512
ef7df3d3427e621ecc4bbdba0df717ba7509d36896bccfab1a2c461f019c95728936a42a6261649e9a6b8f5037f42678bdbe51ea82af68b8e8f8a9765ee57482

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\Sun15e81af69f990d3a6.exe

Filesize
1002KB

MD5
4c35bc57b828bf39daef6918bb5e2249

SHA1
a838099c13778642ab1ff8ed8051ff4a5e07acae

SHA256
bfc863ff5634087b983d29c2e0429240dffef2a379f0072802e01e69483027d3

SHA512
946e23a8d78ba0cfe7511e9f1a443ebe97a806e5614eb6f6e94602eeb04eb03ea87446e0b2c57e6102dad8ef09a7b46c10841aeebbffe4be81aad236608a2f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS07647EC7\setup_install.exe

Filesize
2.1MB

MD5
f7154abf1245e17ee802340608c5f728

SHA1
48fc1a71ad8dd0f04699b60144ed28e50ecd61dd

SHA256
6a1adfee6f5c76521479177391647ec0cdd3c367600a72904d87c4edb25f5344

SHA512
e5f79d338e0c2bbb65a799c389479ec955d7370c674e5aa13ecbae7d62be57f51f4f7b24e597e36078c901539a60923baf489483689781005e05dd76095b2192

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guygeoaa.mnn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3UOP9.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FH87S.tmp\Sun15b94526a807b.tmp

Filesize
2.5MB

MD5
a6865d7dffcc927d975be63b76147e20

SHA1
28e7edab84163cc2d0c864820bef89bae6f56bf8

SHA256
fdfcbc8cfb57a3451a3d148e50794772d477ed6cc434acc779f1f0dd63e93f4b

SHA512
a9d2b59b40793fb685911f0e452e43a8e83c1bd133fda8a2a210ef1b9ca7ad419b8502fbb75b37f1b0fdef6ad0381b7d910fbff0bcfdeeec9e26b81d11effcec

Download Submit
memory/116-271-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/116-272-0x00000000055D0000-0x00000000055E1000-memory.dmp

Filesize
68KB

Download
memory/116-261-0x0000000074930000-0x000000007497C000-memory.dmp

Filesize
304KB

Download
memory/116-260-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/116-258-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/116-273-0x0000000005B60000-0x0000000005B74000-memory.dmp

Filesize
80KB

Download
memory/1544-181-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1544-147-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1548-224-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/1784-115-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1784-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1784-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-118-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1784-117-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1784-82-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1784-81-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1784-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1784-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1784-108-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1784-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1784-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1784-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1784-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1784-71-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/1784-72-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1784-113-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1876-155-0x0000000004DC0000-0x0000000004DCC000-memory.dmp

Filesize
48KB

Download
memory/1876-243-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/1876-153-0x0000000004B90000-0x0000000004C22000-memory.dmp

Filesize
584KB

Download
memory/1876-149-0x00000000001E0000-0x0000000000314000-memory.dmp

Filesize
1.2MB

Download
memory/1876-245-0x0000000005940000-0x0000000005EE4000-memory.dmp

Filesize
5.6MB

Download
memory/1876-244-0x00000000052B0000-0x0000000005398000-memory.dmp

Filesize
928KB

Download
memory/1952-168-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1952-230-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2004-85-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2004-198-0x000000006D1F0000-0x000000006D23C000-memory.dmp

Filesize
304KB

Download
memory/2004-222-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2004-211-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2004-119-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2004-120-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2096-246-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2396-221-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/2568-231-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2660-171-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/2888-158-0x00000000052A0000-0x00000000052BE000-memory.dmp

Filesize
120KB

Download
memory/2888-107-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/2888-214-0x0000000007B80000-0x0000000007B88000-memory.dmp

Filesize
32KB

Download
memory/2888-182-0x0000000006AF0000-0x0000000006B22000-memory.dmp

Filesize
200KB

Download
memory/2888-84-0x0000000073CDE000-0x0000000073CDF000-memory.dmp

Filesize
4KB

Download
memory/2888-193-0x0000000006AD0000-0x0000000006AEE000-memory.dmp

Filesize
120KB

Download
memory/2888-86-0x0000000002F40000-0x0000000002F76000-memory.dmp

Filesize
216KB

Download
memory/2888-183-0x000000006D1F0000-0x000000006D23C000-memory.dmp

Filesize
304KB

Download
memory/2888-109-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-122-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-135-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/2888-148-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/2888-208-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/2888-197-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/2888-217-0x0000000073CD0000-0x0000000074480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-195-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/2888-164-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/2888-196-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/2888-212-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

Filesize
80KB

Download
memory/2888-134-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/2888-210-0x0000000007A90000-0x0000000007A9E000-memory.dmp

Filesize
56KB

Download
memory/2888-213-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/2888-209-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/2888-194-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/2888-128-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/4308-173-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4308-151-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4768-296-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-278-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-305-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-275-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-287-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-281-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-237-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-284-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-290-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-293-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-240-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-299-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4768-302-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download
memory/4944-229-0x0000000000400000-0x0000000000C36000-memory.dmp

Filesize
8.2MB

Download