glupteba | a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
03/10/2023, 09:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Size

4.2MB
MD5

9e007f98ca02e5bc4b17148cf5cc0c51
SHA1

a85a6f47c0b243f7cc9a3266d23f0725aee051b5
SHA256

a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e
SHA512

0024bd76c0e254d843a42a6b586077cfa8888839ff6ec2bcda980ac2cad6bb6bd1dd996dc82c995d4a5229ef891f777d78b544d3fa864f241d5cb8c5b6be1751
SSDEEP

98304:AMXW9xFhF1uQmDdbv5NleFWRJn+be40jKf+3KaaEdet0Y4K78h+o:fXW/V1uDDdbvJRUqofAKKdet0Yn78r

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit trojan

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

resource	yara_rule
behavioral1/memory/4284-2-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral1/memory/4284-3-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/4284-20-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral1/memory/4284-69-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/4284-307-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/4284-308-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3668-311-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3668-415-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3668-666-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/3668-1056-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1061-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1237-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1583-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1810-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1811-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1812-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1813-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1814-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1815-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba
behavioral1/memory/1096-1816-0x0000000000400000-0x0000000002675000-memory.dmp	family_glupteba

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
4664	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1096	csrss.exe
4668	injector.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1137129745-4190849146-4270886183-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
File created	C:\Windows\rss\csrss.exe	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2632	schtasks.exe
740	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
2132	powershell.exe
2132	powershell.exe
2132	powershell.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
4988	powershell.exe
4988	powershell.exe
4988	powershell.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
1096	csrss.exe
1096	csrss.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
1096	csrss.exe
1096	csrss.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe
4668	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Token: SeImpersonatePrivilege	4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeSystemEnvironmentPrivilege	1096	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4344	4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	70
PID 4284 wrote to memory of 4344	4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	70
PID 4284 wrote to memory of 4344	4284	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	70
PID 3668 wrote to memory of 2132	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	75
PID 3668 wrote to memory of 2132	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	75
PID 3668 wrote to memory of 2132	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	75
PID 3668 wrote to memory of 3132	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	77
PID 3668 wrote to memory of 3132	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	77
PID 3132 wrote to memory of 4664	3132	cmd.exe	79
PID 3132 wrote to memory of 4664	3132	cmd.exe	79
PID 3668 wrote to memory of 4348	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	80
PID 3668 wrote to memory of 4348	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	80
PID 3668 wrote to memory of 4348	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	80
PID 3668 wrote to memory of 4356	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	82
PID 3668 wrote to memory of 4356	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	82
PID 3668 wrote to memory of 4356	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	82
PID 3668 wrote to memory of 1096	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	84
PID 3668 wrote to memory of 1096	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	84
PID 3668 wrote to memory of 1096	3668	a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe	84
PID 1096 wrote to memory of 4988	1096	csrss.exe	85
PID 1096 wrote to memory of 4988	1096	csrss.exe	85
PID 1096 wrote to memory of 4988	1096	csrss.exe	85
PID 1096 wrote to memory of 756	1096	csrss.exe	92
PID 1096 wrote to memory of 756	1096	csrss.exe	92
PID 1096 wrote to memory of 756	1096	csrss.exe	92
PID 1096 wrote to memory of 5044	1096	csrss.exe	94
PID 1096 wrote to memory of 5044	1096	csrss.exe	94
PID 1096 wrote to memory of 5044	1096	csrss.exe	94
PID 1096 wrote to memory of 4668	1096	csrss.exe	96
PID 1096 wrote to memory of 4668	1096	csrss.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
"C:\Users\Admin\AppData\Local\Temp\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Users\Admin\AppData\Local\Temp\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe
  "C:\Users\Admin\AppData\Local\Temp\a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\System32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4988
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:740
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4668
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvy4dnwm.iqo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
926809593fd8ae4b45e6b387930695ca

SHA1
858065dc89eb5e877d3a3cb09ea468cfae5cf5d7

SHA256
f2ee2efef9238e63f9cdd74cb9966fd44b4fd11b713db2edc364e5c92b2e3dd8

SHA512
93211c8ba800e4214ab9c6726793b7480f7404859b380a1817102b38802932b4380799d945fc85f544c3a7d8b8a1dcb452451a14c57a97a985b4027327e0fdc6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
92bba0007874176bc43592bed2114c5a

SHA1
8a6570a933c41e83ac4d3118fa4c2110bbcdbe81

SHA256
31e16b1779286db28513a461204f0d3dd2038305c6899f615c0ab58eca5d908d

SHA512
8a351a971e15c7aabdfc0eb64fe7b18fce51acf7928ad8f50473c16737c227f54e99d16680fb400b4cb639f061d26f7338f60c531a959021aae8e998dfc6cc92

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
7efa9fbd814e532b841cc3d4ad2fedbf

SHA1
aa5a6ecf672cc498cc2ead0f6edeef3e163f0828

SHA256
1ff59b2203e534bfe1746d22b86b016e757ee032d54dd00cca2189af235a7711

SHA512
2cd48d69aca66037b4699973571aba1a1af354341d10b68e78f8220bccb0be82fe30acb85dcbf39b666ebde357ac673e6263a4948ae8b6f11ea3b65059872df0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
cf0a93fac9f9c901b44d942818b78b1b

SHA1
f25d760906a12f14baf6deed345b1f2dbae8e255

SHA256
e6f500b1df0b8ae94d331b5ebe8a49f264aeab80be5312a04fa786cc44d16dde

SHA512
cd52b9b9af8a911d58fe42307ba952210978b0e343f08c6c6904b37b422316e4c6df3ff645284a4ec5c61c244b5016686455b4300e42b4bceb4604c4d22e1ab4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
143ffcd8af474dcddc22028a39a11f91

SHA1
27e1e0750b9463dc7625c7c761680e4fb8011837

SHA256
f039c52e66fed39691d0530fea9bda547699787bfbdc4629e24d008d330d9ee6

SHA512
c69f86fdb1d596f43bd6de967c6a966b3b65cefa13c62442b9ea57edd32f196c3f6b1e512d5fc01ca132838a4f79aefe613e31f596b49e4bdba7ea280f9492ca

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
9e007f98ca02e5bc4b17148cf5cc0c51

SHA1
a85a6f47c0b243f7cc9a3266d23f0725aee051b5

SHA256
a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e

SHA512
0024bd76c0e254d843a42a6b586077cfa8888839ff6ec2bcda980ac2cad6bb6bd1dd996dc82c995d4a5229ef891f777d78b544d3fa864f241d5cb8c5b6be1751

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
9e007f98ca02e5bc4b17148cf5cc0c51

SHA1
a85a6f47c0b243f7cc9a3266d23f0725aee051b5

SHA256
a7a45bdd7ce5c1d6a19c1f5f4c3bff711097936737012df36f4850619c50cb0e

SHA512
0024bd76c0e254d843a42a6b586077cfa8888839ff6ec2bcda980ac2cad6bb6bd1dd996dc82c995d4a5229ef891f777d78b544d3fa864f241d5cb8c5b6be1751

Download Submit
memory/1096-1059-0x0000000004800000-0x0000000004BF9000-memory.dmp

Filesize
4.0MB

Download
memory/1096-1814-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1583-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1811-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1810-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1816-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1812-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1237-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1815-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1813-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/1096-1061-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/2132-316-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2132-314-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-533-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-346-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2132-344-0x0000000009B60000-0x0000000009C05000-memory.dmp

Filesize
660KB

Download
memory/2132-339-0x0000000070B90000-0x0000000070EE0000-memory.dmp

Filesize
3.3MB

Download
memory/2132-337-0x000000007F210000-0x000000007F220000-memory.dmp

Filesize
64KB

Download
memory/2132-338-0x0000000070B40000-0x0000000070B8B000-memory.dmp

Filesize
300KB

Download
memory/2132-318-0x0000000008690000-0x00000000086DB000-memory.dmp

Filesize
300KB

Download
memory/2132-564-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-554-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2132-317-0x00000000081D0000-0x0000000008520000-memory.dmp

Filesize
3.3MB

Download
memory/2132-315-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2132-553-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/3668-310-0x0000000004200000-0x00000000045FD000-memory.dmp

Filesize
4.0MB

Download
memory/3668-345-0x0000000004200000-0x00000000045FD000-memory.dmp

Filesize
4.0MB

Download
memory/3668-1056-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3668-415-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3668-311-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/3668-666-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/4284-3-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/4284-2-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/4284-20-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/4284-69-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/4284-307-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/4284-1-0x00000000044C0000-0x00000000048C4000-memory.dmp

Filesize
4.0MB

Download
memory/4284-11-0x00000000044C0000-0x00000000048C4000-memory.dmp

Filesize
4.0MB

Download
memory/4284-308-0x0000000000400000-0x0000000002675000-memory.dmp

Filesize
34.5MB

Download
memory/4344-78-0x0000000070A20000-0x0000000070A6B000-memory.dmp

Filesize
300KB

Download
memory/4344-87-0x00000000099D0000-0x0000000009A75000-memory.dmp

Filesize
660KB

Download
memory/4344-288-0x0000000009AC0000-0x0000000009AC8000-memory.dmp

Filesize
32KB

Download
memory/4344-283-0x0000000009AE0000-0x0000000009AFA000-memory.dmp

Filesize
104KB

Download
memory/4344-7-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/4344-6-0x0000000004540000-0x0000000004576000-memory.dmp

Filesize
216KB

Download
memory/4344-158-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/4344-8-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/4344-9-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/4344-10-0x0000000006C10000-0x0000000007238000-memory.dmp

Filesize
6.2MB

Download
memory/4344-89-0x0000000009BE0000-0x0000000009C74000-memory.dmp

Filesize
592KB

Download
memory/4344-12-0x0000000006BE0000-0x0000000006C02000-memory.dmp

Filesize
136KB

Download
memory/4344-13-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/4344-88-0x0000000004530000-0x0000000004540000-memory.dmp

Filesize
64KB

Download
memory/4344-14-0x0000000007330000-0x0000000007396000-memory.dmp

Filesize
408KB

Download
memory/4344-15-0x0000000007580000-0x00000000078D0000-memory.dmp

Filesize
3.3MB

Download
memory/4344-16-0x00000000079F0000-0x0000000007A0C000-memory.dmp

Filesize
112KB

Download
memory/4344-17-0x0000000007B20000-0x0000000007B6B000-memory.dmp

Filesize
300KB

Download
memory/4344-37-0x0000000007E70000-0x0000000007EAC000-memory.dmp

Filesize
240KB

Download
memory/4344-306-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/4344-82-0x0000000009970000-0x000000000998E000-memory.dmp

Filesize
120KB

Download
memory/4344-81-0x0000000070A70000-0x0000000070DC0000-memory.dmp

Filesize
3.3MB

Download
memory/4344-80-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

Filesize
64KB

Download
memory/4344-79-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/4344-68-0x0000000008C00000-0x0000000008C76000-memory.dmp

Filesize
472KB

Download
memory/4344-77-0x0000000009990000-0x00000000099C3000-memory.dmp

Filesize
204KB

Download
memory/4348-809-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/4348-568-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/4348-569-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/4348-589-0x0000000070B40000-0x0000000070B8B000-memory.dmp

Filesize
300KB

Download
memory/4348-590-0x0000000070B90000-0x0000000070EE0000-memory.dmp

Filesize
3.3MB

Download
memory/4348-595-0x0000000007340000-0x0000000007350000-memory.dmp

Filesize
64KB

Download
memory/4356-834-0x0000000070B90000-0x0000000070EE0000-memory.dmp

Filesize
3.3MB

Download
memory/4356-812-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/4356-832-0x0000000070B40000-0x0000000070B8B000-memory.dmp

Filesize
300KB

Download
memory/4356-833-0x000000007F510000-0x000000007F520000-memory.dmp

Filesize
64KB

Download
memory/4356-839-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4356-1052-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/4988-1064-0x0000000073D70000-0x000000007445E000-memory.dmp

Filesize
6.9MB

Download