glupteba | e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382

Analysis

max time kernel
34s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Size

4.1MB
MD5

f35727760b1c7c625c7972e67267c956
SHA1

c44246e010902ba95c1d122a88032cc3ed7f792b
SHA256

e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382
SHA512

6e77bb6601762714c4c8a536066607c1da451f08b01a7b820272361923a916494369f7f6eb389c3339b5d9ce53cfb1ec63b387bf2d92a44e4f9e5da5f0df43b4
SSDEEP

98304:l2ZIGA1T7oyz00rMTuY9Tg4EWKl5r1M2TRZUo:l2ZIdTcy5Y9k4fO5M2z

Score

10^/10

glupteba dropper evasion loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral1/memory/3920-2-0x0000000002F20000-0x000000000380B000-memory.dmp	family_glupteba
behavioral1/memory/3920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3920-24-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3920-55-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3920-56-0x0000000002F20000-0x000000000380B000-memory.dmp	family_glupteba
behavioral1/memory/2460-59-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2460-109-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2460-111-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2460-178-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-230-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-276-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-310-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-326-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-338-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-352-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2172-363-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2768	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022e55-250.dat	upx
behavioral1/files/0x0006000000022e55-277.dat	upx
behavioral1/memory/4852-286-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0006000000022e55-261.dat	upx
behavioral1/memory/3348-321-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3348-347-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0009000000022e5a-407.dat	upx
behavioral1/files/0x0009000000022e5a-409.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
File created	C:\Windows\rss\csrss.exe	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4056	sc.exe
2212	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1028	schtasks.exe
3900	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
1584	powershell.exe
1584	powershell.exe
1584	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Token: SeImpersonatePrivilege	3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 4972	3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	92
PID 3920 wrote to memory of 4972	3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	92
PID 3920 wrote to memory of 4972	3920	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	92
PID 2460 wrote to memory of 2116	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	103
PID 2460 wrote to memory of 2116	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	103
PID 2460 wrote to memory of 2116	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	103
PID 2460 wrote to memory of 3372	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	105
PID 2460 wrote to memory of 3372	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	105
PID 3372 wrote to memory of 2768	3372	cmd.exe	106
PID 3372 wrote to memory of 2768	3372	cmd.exe	106
PID 2460 wrote to memory of 1584	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	107
PID 2460 wrote to memory of 1584	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	107
PID 2460 wrote to memory of 1584	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	107
PID 2460 wrote to memory of 1096	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	110
PID 2460 wrote to memory of 1096	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	110
PID 2460 wrote to memory of 1096	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	110
PID 2460 wrote to memory of 2172	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	112
PID 2460 wrote to memory of 2172	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	112
PID 2460 wrote to memory of 2172	2460	e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe	112

C:\Users\Admin\AppData\Local\Temp\e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
"C:\Users\Admin\AppData\Local\Temp\e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Users\Admin\AppData\Local\Temp\e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe
  "C:\Users\Admin\AppData\Local\Temp\e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    PID:2172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1944
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:1924
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4268
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
      4⤵
      PID:4364
    - - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Launches sc.exe
        
        PID:4056
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      4⤵
      PID:2900
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        5⤵
        
        PID:2420
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        5⤵
        
        PID:3356

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:732
- C:\Windows\SysWOW64\sc.exe
  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
  2⤵
  - Launches sc.exe
  PID:2212

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgg3yrwp.rqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Filesize
99KB

MD5
09031a062610d77d685c9934318b4170

SHA1
880f744184e7774f3d14c1bb857e21cc7fe89a6d

SHA256
778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

SHA512
9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-certs

Filesize
15KB

MD5
ba1acac1524d26bd2b0f122b8b53d717

SHA1
2a330b6373d3ab7b0cdb1c3fa4a339d23716ab8d

SHA256
778ca3434b7a7ec8600488b52d00ee921b67b65b9cc479248656c220954690c3

SHA512
b7830f85c49bd9685caf64c1e6c3bae2e710263b74b4dd7b685fb491cf403ae745ae30618015050c74ea0c81061350540b7840482915503b59083c3da064f26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus

Filesize
2.9MB

MD5
46dcdbb6132c4ebfa7058355a7c52ca0

SHA1
6c001d69ec19aad5e741851f30b64c5adb1b97eb

SHA256
76a875b73c0941836a2b59a33fb7708645e5ac0187859380146ffcda053f2a16

SHA512
34df789dfbc319210d0f81db94b00e844e6a8882d643258e06c86bc7398faca7e3f6a883887d0a1eea4eb9ddb19e4eea7f9b123503330b4c63b769219b9821be

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.9MB

MD5
46dcdbb6132c4ebfa7058355a7c52ca0

SHA1
6c001d69ec19aad5e741851f30b64c5adb1b97eb

SHA256
76a875b73c0941836a2b59a33fb7708645e5ac0187859380146ffcda053f2a16

SHA512
34df789dfbc319210d0f81db94b00e844e6a8882d643258e06c86bc7398faca7e3f6a883887d0a1eea4eb9ddb19e4eea7f9b123503330b4c63b769219b9821be

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
20.8MB

MD5
1c2a55ac04582db41a919234fa048c3a

SHA1
c4d6eaaad39490b7469e06fb95a6fb0b3d33f146

SHA256
c9f71922c0caa35c26cac8ba1839c3f40ebd39587e894d52e5c010fbfe66724f

SHA512
038754948d74083efbc086a9abfe1d7a6daa083062846a0b2fb2b53907889a1927f03613d5f122b17ed44d1aa7e02d370aea16ee94891990d7bc56d662f690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
20.8MB

MD5
1c2a55ac04582db41a919234fa048c3a

SHA1
c4d6eaaad39490b7469e06fb95a6fb0b3d33f146

SHA256
c9f71922c0caa35c26cac8ba1839c3f40ebd39587e894d52e5c010fbfe66724f

SHA512
038754948d74083efbc086a9abfe1d7a6daa083062846a0b2fb2b53907889a1927f03613d5f122b17ed44d1aa7e02d370aea16ee94891990d7bc56d662f690c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip

Filesize
3.8MB

MD5
c72911dec6ae8c4bc62bb2a6a21ba85b

SHA1
0ae7077313a53103c2b32100d74aafc04216289d

SHA256
7e777efc194ea9788171636085b19875d19397d3249fbb88136534037a3dc38f

SHA512
99dc9761ad69f5508d96a2362b930728d451f5ddcf7bb1e210ec5b0f14ee00ee71efaaab150ffa16a2f92fbbb1e2a6b5cd92d51721996df7ac794491c441c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\geoip6

Filesize
5.6MB

MD5
ed2f9b19dd1584d7e26f5ba460ef2fbf

SHA1
dcbf1789bf1eeb03276b830cb2ab92bcf779d97f

SHA256
f11bd1d7546cad00b6db0a1594f3ac1daf9f541004fd7efb5414e068693d6add

SHA512
dcfc780d1e34968390969b64ea2091b630c8eec94ac4724a4103a003a2f31545c3791a39f514517153538b4d3f5c50b6bfba74cc9cf8c0b1b5daba0a4849c856

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll

Filesize
3.5MB

MD5
b7c32c8e7d21aa9b79470037227eba43

SHA1
38d719b10ca035cee65162c1a44e2c62123d41b4

SHA256
99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23

SHA512
d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll

Filesize
876KB

MD5
736443b08b5a52b6958f001e8200be71

SHA1
e56ddc8476aef0d3482c99c5bfaf0f57458b2576

SHA256
da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4

SHA512
9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent_core-2-1-7.dll

Filesize
701KB

MD5
f1bcc8bd3200845993211eb807f33e56

SHA1
d25274e36e79d8e50a446b1144d8b6f2b2cf309b

SHA256
7cd199bbf3bfe19182c5eca3a080a7e93cec0d30cbd872a305c92bc9282a7399

SHA512
397ba6b995aebce54b95c7f3abd3c64ae2c5ab3d01fb38185f8fccad82cac335e2f0666fc47b73d3a3a4af9b5a5ce311e4963841616f4d38b03e1bc16355b5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent_extra-2-1-7.dll

Filesize
497KB

MD5
f963552b851fde3834405bb98bae0c36

SHA1
822c7d7988ac28aca080dbc9c26f98416f67124f

SHA256
36c66cfc6e9663bdd2cdc54a1253a8c26c837ca0bd8c52769b5820641c18d4c3

SHA512
b301df8740e07c1032e959e563842d568916f7165f72c459c0ffcbe1a717b0886be1d2ef8b992875392a09983ae9e35e7481b29c213a18ee15b335a9849cf39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll

Filesize
668KB

MD5
36e1c3814bde3418ba3d38517954cb7c

SHA1
495e1ba5b0b442e70124d33daa6fea4e3e5931b0

SHA256
b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1

SHA512
df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll

Filesize
938KB

MD5
d92e59b71bf8a0d827597ed95b2eca42

SHA1
cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a

SHA256
b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3

SHA512
be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll

Filesize
95KB

MD5
7cdbaca31739500aefc06dd85a8558ff

SHA1
adc36ec6a3cdc7e57a1b706c820e382627f6cb90

SHA256
0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb

SHA512
6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libwinpthread-1.dll

Filesize
301KB

MD5
07f4bbf18077231cb44750684dd8daf4

SHA1
8560627e9e05d6022abdfe7e576856e91ac90188

SHA256
4a146671b1fed4906799cb1cfc670753f1b1922793f5b40d5cf710befb287316

SHA512
04e31ad60e797cdbd1f3db36a8473139bbd1b763d2d67a160454b24b524e8bbc4d5784c62446a0f9d83b95dd518534ab4581d3a43a14146b17d0035ecc79c151

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\state

Filesize
3KB

MD5
3970dc0801fa319f52107d47a6633779

SHA1
54d0da8cc18acc20876e4d8f34fc7209683172bd

SHA256
542f12ae0315db65dc0a54a48d321b4c33c9ec48ef550b40c24bdff4e58b5f30

SHA512
1135c1224285179a149014b0d4e1e56d4abbef941ff8fa05a21a6642776e3a95d517c21022dddaf9abdfccd8fe87ae7ac07e4a0c8415df77374373d1c590c6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor-gencert.exe

Filesize
1.0MB

MD5
8a574c633eb3c8b7d209b5940ebf731b

SHA1
e835c5668ad1437cebdbd56bc7923c3683e8b9ad

SHA256
bfd8dd86a41bc05beea0f240c35e88bd42abada70eff4741717901d1b55bfb28

SHA512
085ee9d9c52fd5f6ff2095727d9e3b1d27c5b2d3ab54ca11149954a4b031296c9cf9c81457a2df8eba916336cdef4ea2bd39cf98d4ad19ab78e53ac85b6d6dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

Filesize
4.3MB

MD5
055ae7c584a7b012955bf5d874f30cfa

SHA1
f2b4d8c5307ff09607be929ec08fc2727bf03dcf

SHA256
d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8

SHA512
910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\unverified-microdesc-consensus

Filesize
2.9MB

MD5
46dcdbb6132c4ebfa7058355a7c52ca0

SHA1
6c001d69ec19aad5e741851f30b64c5adb1b97eb

SHA256
76a875b73c0941836a2b59a33fb7708645e5ac0187859380146ffcda053f2a16

SHA512
34df789dfbc319210d0f81db94b00e844e6a8882d643258e06c86bc7398faca7e3f6a883887d0a1eea4eb9ddb19e4eea7f9b123503330b4c63b769219b9821be

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll

Filesize
135KB

MD5
f08b1f044c68770c190daf1eb1f3157e

SHA1
f94103a542459d60434f9ddb6b5f45b11eae2923

SHA256
1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27

SHA512
0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt

Filesize
4KB

MD5
89fc66eca82b619662a4d3ab09b32005

SHA1
f210face01de5feb29cd79f894f038f4f915e327

SHA256
d6b97ca83b7c48e9bf73748ff56c6edf35c7f68e9edf8036514066ef75f66f43

SHA512
f996ce77dc757612b0bc52f7efc64059962b8dbe148818681f4e4c5938796392e159b0230e1a9c817b9870c250b546eacecce2afb6f436143a408103b2b945c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc

Filesize
227B

MD5
17c2994d6a89cb7d277f1b3f0b49e5ed

SHA1
2a72ffc34cb2a7d7d3057f4725f2ac660a809158

SHA256
38ad4c6fb403fc2d5dc0dc83a165983a3fb426e0a850847fefc35e62a5ced67f

SHA512
d145ea667f70ed08b12d44228aea09cab637dd1acee131b919f22efdd4730b0c18daa0c83b196f5efa2082cf8f90bcd618b7c7efaab79ca5f0478ade0aca4728

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
384cf609d6b6fe23d36e777cb2db1c2f

SHA1
7794508476a12203d6ac1474a0d20d8c98faef6b

SHA256
c3554ad6435a99b237755237308494c6d87b4ed759c85e02e1fa8bb0d5ab2368

SHA512
54f83e7563ce4c64a585371282513510304774d5f8625aac68413322bcfa32b94308603f0e121d23d90aa43b4094a7edd624062f6a2ab2ea9419a763f6a8ac04

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7086b598642c6bf542e8101a1a4e12f7

SHA1
fe51cd28cd86a95885f34ba4a9814b22b6d37f9f

SHA256
2bdd75c9739e973ddb8a1b138b0988eb308e4d269345df1bfe58850f43475dea

SHA512
2bc0959f17ebd90210cb2c2d7b8d073336d91aca6bb782cc610cbc81c9cd08425399d212d93642d860ba00ec0127aad4dc0cf58e200ef519168645c005b49477

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
dcc16a0df8326bf4129ed084db550f15

SHA1
05be221d090b6e5e86c73607f3f3130be8b01061

SHA256
72d25b97100483891e1ce7325eb18cf0bed89ba86aa28e5ca3035cb2ce64ffcf

SHA512
b45543ff62db2d78e48ddb10f4e87b3fcc2fc894f49cac4090675a11bac04959a5323743a87125461c96ac24157341b1a9d7f52012a2d5fc093d51b3b229a9fa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
54bfe542870e06b8b09a6155860b2eb7

SHA1
8aaf47d3fb213fc8d4397559838957b05c25f329

SHA256
7841b649df9c192c49e14959c157451df60255689cbad6aeca6b8dd34a0277b1

SHA512
e9568c69696f9b6feb4ec5d40a4df78dff10e9220a906903f767279f58291ff3a2cb059c182af93135159d9a03097dfe1b9a859888470a2bcc3b540edd874a44

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
74e19abbb36abf8b91c8a1c9abe190f6

SHA1
ae2cb34a50c16acc00d239ee97fc2f889daf648e

SHA256
5e3ee109f3c2958e661fd226c8ff4bf721856e957413aed6bd6d0c335a6662ea

SHA512
77c7101cdd92858bdc8446d52902d7b3bef9e0bf194f0d13c5e189c7c1f25a6ae1c66e423bf389ea917a9b7e0114190b7ae25acfb6596cc5610b27af2bc55f70

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f35727760b1c7c625c7972e67267c956

SHA1
c44246e010902ba95c1d122a88032cc3ed7f792b

SHA256
e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382

SHA512
6e77bb6601762714c4c8a536066607c1da451f08b01a7b820272361923a916494369f7f6eb389c3339b5d9ce53cfb1ec63b387bf2d92a44e4f9e5da5f0df43b4

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f35727760b1c7c625c7972e67267c956

SHA1
c44246e010902ba95c1d122a88032cc3ed7f792b

SHA256
e99fc721d12aa6b00f8bb58c1ebb7a7a6a8a156757a68be3e071a0cb49ce7382

SHA512
6e77bb6601762714c4c8a536066607c1da451f08b01a7b820272361923a916494369f7f6eb389c3339b5d9ce53cfb1ec63b387bf2d92a44e4f9e5da5f0df43b4

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1096-133-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/1096-139-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/1096-125-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/1096-127-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/1096-126-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/1584-94-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-113-0x000000007F800000-0x000000007F810000-memory.dmp

Filesize
64KB

Download
memory/1584-101-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1584-107-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1584-95-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1584-124-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-110-0x0000000070140000-0x000000007018C000-memory.dmp

Filesize
304KB

Download
memory/1584-112-0x00000000702C0000-0x0000000070614000-memory.dmp

Filesize
3.3MB

Download
memory/2116-92-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-62-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2116-77-0x0000000070900000-0x0000000070C54000-memory.dmp

Filesize
3.3MB

Download
memory/2116-87-0x0000000006FF0000-0x0000000007093000-memory.dmp

Filesize
652KB

Download
memory/2116-73-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/2116-74-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2116-88-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/2116-75-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

Filesize
64KB

Download
memory/2116-89-0x0000000007350000-0x0000000007364000-memory.dmp

Filesize
80KB

Download
memory/2116-60-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-68-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/2116-61-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2116-76-0x0000000070140000-0x000000007018C000-memory.dmp

Filesize
304KB

Download
memory/2172-276-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-363-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-310-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-338-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-326-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2172-352-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2460-106-0x0000000002B00000-0x0000000002F04000-memory.dmp

Filesize
4.0MB

Download
memory/2460-58-0x0000000002B00000-0x0000000002F04000-memory.dmp

Filesize
4.0MB

Download
memory/2460-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2460-178-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2460-111-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2460-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3348-347-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3348-321-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3920-48-0x0000000002B20000-0x0000000002F1A000-memory.dmp

Filesize
4.0MB

Download
memory/3920-24-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3920-2-0x0000000002F20000-0x000000000380B000-memory.dmp

Filesize
8.9MB

Download
memory/3920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3920-1-0x0000000002B20000-0x0000000002F1A000-memory.dmp

Filesize
4.0MB

Download
memory/3920-56-0x0000000002F20000-0x000000000380B000-memory.dmp

Filesize
8.9MB

Download
memory/3920-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4852-286-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4956-364-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-312-0x0000000074BA0000-0x0000000074BBE000-memory.dmp

Filesize
120KB

Download
memory/4956-274-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-353-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-339-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-271-0x0000000074860000-0x0000000074921000-memory.dmp

Filesize
772KB

Download
memory/4956-327-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-272-0x0000000074830000-0x000000007485A000-memory.dmp

Filesize
168KB

Download
memory/4956-318-0x00000000743B0000-0x00000000746B1000-memory.dmp

Filesize
3.0MB

Download
memory/4956-320-0x0000000074360000-0x00000000743AD000-memory.dmp

Filesize
308KB

Download
memory/4956-317-0x0000000074790000-0x0000000074830000-memory.dmp

Filesize
640KB

Download
memory/4956-316-0x00000000746C0000-0x0000000074782000-memory.dmp

Filesize
776KB

Download
memory/4956-311-0x00000000002B0000-0x00000000006FE000-memory.dmp

Filesize
4.3MB

Download
memory/4956-314-0x0000000074860000-0x0000000074921000-memory.dmp

Filesize
772KB

Download
memory/4972-43-0x0000000007370000-0x0000000007413000-memory.dmp

Filesize
652KB

Download
memory/4972-50-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/4972-25-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4972-26-0x0000000007060000-0x00000000070D6000-memory.dmp

Filesize
472KB

Download
memory/4972-27-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-51-0x00000000075D0000-0x00000000075D8000-memory.dmp

Filesize
32KB

Download
memory/4972-28-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/4972-29-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

Filesize
64KB

Download
memory/4972-30-0x0000000007330000-0x0000000007362000-memory.dmp

Filesize
200KB

Download
memory/4972-54-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/4972-31-0x0000000070040000-0x000000007008C000-memory.dmp

Filesize
304KB

Download
memory/4972-44-0x0000000007460000-0x000000000746A000-memory.dmp

Filesize
40KB

Download
memory/4972-45-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/4972-32-0x00000000707C0000-0x0000000070B14000-memory.dmp

Filesize
3.3MB

Download
memory/4972-47-0x00000000074F0000-0x00000000074FE000-memory.dmp

Filesize
56KB

Download
memory/4972-42-0x0000000007310000-0x000000000732E000-memory.dmp

Filesize
120KB

Download
memory/4972-23-0x0000000006360000-0x00000000063A4000-memory.dmp

Filesize
272KB

Download
memory/4972-22-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/4972-21-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/4972-17-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4972-10-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/4972-9-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/4972-8-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/4972-7-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/4972-5-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/4972-6-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/4972-4-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/4972-46-0x0000000007490000-0x00000000074A1000-memory.dmp

Filesize
68KB

Download
memory/4972-49-0x0000000007500000-0x0000000007514000-memory.dmp

Filesize
80KB

Download