glupteba | c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611

Analysis

max time kernel
59s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Size

4.2MB
MD5

c67a06582265496f4dcfda29ae390be1
SHA1

df1f183c517b30f4bdd5e76b75ed2d534d728355
SHA256

c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611
SHA512

650031c2d6a2eb10ab893b7b0bb40b45f5e804a2dc3c5a771cc1f3de8fd3223aaf632e7ba50ea6d50663cea99a07a5f15369ac6aa1110d5d5008a314b390cc0e
SSDEEP

98304:abY7C/AXQmIN/Mf2xhlSFNqpX3duILX2mVPpezgrBhzQcY:z7C4mSf2x3SgduW2mVPOtcY

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 21 IoCs

resource	yara_rule
behavioral2/memory/1332-2-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/1332-3-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/1332-4-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/1332-9-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/1332-12-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/1332-34-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/1332-56-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/1332-65-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/792-68-0x0000000004A70000-0x000000000535B000-memory.dmp	family_glupteba
behavioral2/memory/792-69-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/792-104-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/792-105-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/792-162-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/792-165-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-203-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-269-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-276-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-279-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-281-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-283-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba
behavioral2/memory/940-292-0x0000000000400000-0x000000000298A000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1184	netsh.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000230d1-272.dat	upx
behavioral2/files/0x00070000000230d1-274.dat	upx
behavioral2/files/0x00070000000230d1-275.dat	upx
behavioral2/memory/4308-277-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/396-280-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/396-284-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x00080000000230db-288.dat	upx
behavioral2/files/0x00080000000230db-289.dat	upx
behavioral2/memory/396-291-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3916-293-0x0000000000400000-0x0000000000C25000-memory.dmp	upx
behavioral2/memory/3916-295-0x0000000000400000-0x0000000000C25000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4672	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1932	1332	WerFault.exe	84
3820	940	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2704	schtasks.exe
5008	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3712	powershell.exe
3712	powershell.exe
1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Token: SeImpersonatePrivilege	1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 3712	1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	86
PID 1332 wrote to memory of 3712	1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	86
PID 1332 wrote to memory of 3712	1332	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	86
PID 792 wrote to memory of 2708	792	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	102
PID 792 wrote to memory of 2708	792	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	102
PID 792 wrote to memory of 2708	792	c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe	102

C:\Users\Admin\AppData\Local\Temp\c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
"C:\Users\Admin\AppData\Local\Temp\c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe
  "C:\Users\Admin\AppData\Local\Temp\c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2312
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4992
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4968
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4224
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:5016
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:5008
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2208
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:3916
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:4328
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 1252
      4⤵
      Program crash
      PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 764
  2⤵
  - Program crash
  PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1332 -ip 1332
1⤵
PID:2264

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 940 -ip 940
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h3dykufy.jqh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
115105e635c0bdb49a5351789c7bdb07

SHA1
40f0fa3e6a577dadb63a683da1f8caa4c1398604

SHA256
33559838846657235a925bc4824a8cf9e50f8711575116d9f22ae10bf717f510

SHA512
e29ddc5457153361fd6938156513cfd5e2386b2f6f0edadad71788f84e109f553fcfc4d9f1b850cd5c1bb08573285e329c913008582d876eaf226fc179d60b2e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6d565d35592e97e61d8a469135a371d9

SHA1
c1b4dafff28682de6c9afa1b3f9e43ba453a8dde

SHA256
6ab99cb6949b3f070910d78c3385a1b0d6240ffd05466c222f9ce30d334ff52c

SHA512
16b7ac2dce496aa6a940633779f584006a4d617e1ea0ffa8b0b27ff6ea443d728070e945451eaeaaa96f98cfb50710de2d9085fa57efa1ec9004c9e60e0a94ea

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0ad3245f7d19fcc4a46fd06c8c5c3cec

SHA1
6607555d6b87c4a344d5556c1b8295b582454d46

SHA256
d3d1aadef89a222942cc4231225f8eec018e7ad0cb9f6abda60b562747f9daa9

SHA512
0506d300b32d97114ee64d1e277de81f562acb2ee9d7b0c40530d2f29ece046491b20f086010a39c448227a643da551695b3ce87be471c0d9db029cce14e22cf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d94aa01c77293318b11adace87094f33

SHA1
91d8aaa0d74d29c1ed50353cc53c5f65c7d5b829

SHA256
708cb95de82e2a4524b1e905c56818e55003eb0e8b4440cc63351f23c9c774da

SHA512
ffe71a621463df55046865b2fb47910647feea6fbc0ecc7640cf5053cca88dbabd58050421a86dddd5465627a85d32949f0093209e984bf62f692d31c52a3a96

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
565c4b71166ef7574c0bd9b107805477

SHA1
261243f30a63b784b783fd870e06874ba45f0545

SHA256
f13e5c29d1c3eb1cfffb0e873abae7f42498e08c763ef7e29d204b88ba9d6b31

SHA512
6ebec4c529dd0f5e38ed8617e6c6cc94ba8257a7c5dacd0372fe36d3afce12cb378c6ada7b88e983045f7197af2c79ea0a3a802f6bc8bb466360d952e2450ac3

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
c67a06582265496f4dcfda29ae390be1

SHA1
df1f183c517b30f4bdd5e76b75ed2d534d728355

SHA256
c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611

SHA512
650031c2d6a2eb10ab893b7b0bb40b45f5e804a2dc3c5a771cc1f3de8fd3223aaf632e7ba50ea6d50663cea99a07a5f15369ac6aa1110d5d5008a314b390cc0e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
c67a06582265496f4dcfda29ae390be1

SHA1
df1f183c517b30f4bdd5e76b75ed2d534d728355

SHA256
c1087ee37b0052aa61aa5f292f3151e6f80461586143544cf147e191fafe6611

SHA512
650031c2d6a2eb10ab893b7b0bb40b45f5e804a2dc3c5a771cc1f3de8fd3223aaf632e7ba50ea6d50663cea99a07a5f15369ac6aa1110d5d5008a314b390cc0e

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/396-284-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/396-291-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/396-280-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/464-121-0x0000000070410000-0x000000007045C000-memory.dmp

Filesize
304KB

Download
memory/464-109-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/464-108-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/464-107-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/464-122-0x0000000070BD0000-0x0000000070F24000-memory.dmp

Filesize
3.3MB

Download
memory/464-120-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

Filesize
64KB

Download
memory/792-68-0x0000000004A70000-0x000000000535B000-memory.dmp

Filesize
8.9MB

Download
memory/792-104-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/792-67-0x0000000004670000-0x0000000004A6E000-memory.dmp

Filesize
4.0MB

Download
memory/792-105-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/792-165-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/792-69-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/792-100-0x0000000004670000-0x0000000004A6E000-memory.dmp

Filesize
4.0MB

Download
memory/792-162-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-292-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-281-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-269-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-203-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-283-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-276-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/940-279-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-34-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-3-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/1332-65-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-56-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-4-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-8-0x0000000004890000-0x0000000004C93000-memory.dmp

Filesize
4.0MB

Download
memory/1332-9-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/1332-12-0x0000000000400000-0x000000000298A000-memory.dmp

Filesize
37.5MB

Download
memory/1332-1-0x0000000004890000-0x0000000004C93000-memory.dmp

Filesize
4.0MB

Download
memory/2708-71-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2708-83-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/2708-84-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2708-86-0x0000000070410000-0x000000007045C000-memory.dmp

Filesize
304KB

Download
memory/2708-87-0x0000000070BD0000-0x0000000070F24000-memory.dmp

Filesize
3.3MB

Download
memory/2708-85-0x000000007F100000-0x000000007F110000-memory.dmp

Filesize
64KB

Download
memory/2708-97-0x0000000007920000-0x00000000079C3000-memory.dmp

Filesize
652KB

Download
memory/2708-98-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/2708-99-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

Filesize
80KB

Download
memory/2708-73-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/2708-103-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/2708-72-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2708-70-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3712-40-0x0000000070310000-0x000000007035C000-memory.dmp

Filesize
304KB

Download
memory/3712-32-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-60-0x0000000007C50000-0x0000000007C6A000-memory.dmp

Filesize
104KB

Download
memory/3712-59-0x0000000007C10000-0x0000000007C24000-memory.dmp

Filesize
80KB

Download
memory/3712-58-0x0000000007BF0000-0x0000000007BFE000-memory.dmp

Filesize
56KB

Download
memory/3712-57-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

Filesize
68KB

Download
memory/3712-55-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/3712-54-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-53-0x00000000079B0000-0x00000000079BA000-memory.dmp

Filesize
40KB

Download
memory/3712-52-0x0000000007A20000-0x0000000007AC3000-memory.dmp

Filesize
652KB

Download
memory/3712-51-0x00000000079C0000-0x00000000079DE000-memory.dmp

Filesize
120KB

Download
memory/3712-41-0x0000000070A10000-0x0000000070D64000-memory.dmp

Filesize
3.3MB

Download
memory/3712-64-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3712-39-0x00000000079E0000-0x0000000007A12000-memory.dmp

Filesize
200KB

Download
memory/3712-38-0x000000007FA70000-0x000000007FA80000-memory.dmp

Filesize
64KB

Download
memory/3712-37-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/3712-36-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/3712-35-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/3712-33-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-61-0x0000000007C40000-0x0000000007C48000-memory.dmp

Filesize
32KB

Download
memory/3712-31-0x0000000006810000-0x0000000006854000-memory.dmp

Filesize
272KB

Download
memory/3712-30-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-29-0x0000000006580000-0x00000000065CC000-memory.dmp

Filesize
304KB

Download
memory/3712-28-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/3712-5-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3712-27-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/3712-21-0x0000000005ED0000-0x0000000006224000-memory.dmp

Filesize
3.3MB

Download
memory/3712-15-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/3712-14-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/3712-13-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/3712-11-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/3712-10-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3712-7-0x0000000004E50000-0x0000000004E86000-memory.dmp

Filesize
216KB

Download
memory/3712-6-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3916-293-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/3916-295-0x0000000000400000-0x0000000000C25000-memory.dmp

Filesize
8.1MB

Download
memory/4308-277-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download