glupteba | 5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c2c0a3850e702555c86672dfccf87e.exe
Size

4.2MB
MD5

90c2c0a3850e702555c86672dfccf87e
SHA1

547237f6c49839d5b52c21541e3ef97e70c09e14
SHA256

5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb
SHA512

bef33bcfe5c99260d7e3d4a1f874606b166a8ee6307780140ce3350df0e1c7804695596fdcd252a9ce5445439afc2bb6a8b33d99bf175fb722f89213197367f9
SSDEEP

98304:teW8UzsHIbLf9dWRHWVRhdNR5S1sJRNc/DhpLv/dFcsAkZ5X:q0L1dWRH6Rb9w/n3rVAk3

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1564-2-0x0000000003E30000-0x000000000471B000-memory.dmp	family_glupteba
behavioral2/memory/1564-3-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/1564-54-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/1564-56-0x0000000003E30000-0x000000000471B000-memory.dmp	family_glupteba
behavioral2/memory/1664-57-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/1664-135-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/1664-156-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-258-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-267-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-269-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-271-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-273-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-275-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-277-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-279-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-281-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-283-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-285-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-287-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba
behavioral2/memory/2784-289-0x0000000000400000-0x0000000001E17000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

752 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

csrss.exeinjector.exewindefender.exewindefender.exe

pid process

2784 csrss.exe
1592 injector.exe
2120 windefender.exe
1944 windefender.exe

pid	process
752	netsh.exe

pid	process
2784	csrss.exe
1592	injector.exe
2120	windefender.exe
1944	windefender.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/2120-266-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1944-268-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1944-272-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90c2c0a3850e702555c86672dfccf87e.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

90c2c0a3850e702555c86672dfccf87e.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 90c2c0a3850e702555c86672dfccf87e.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	90c2c0a3850e702555c86672dfccf87e.exe

Drops file in Windows directory 4 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.execsrss.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	90c2c0a3850e702555c86672dfccf87e.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	90c2c0a3850e702555c86672dfccf87e.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4608 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3232 1564 WerFault.exe 90c2c0a3850e702555c86672dfccf87e.exe
3092 1664 WerFault.exe 90c2c0a3850e702555c86672dfccf87e.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1092 schtasks.exe
3352 schtasks.exe

pid	process
4608	sc.exe

pid	pid_target	process	target process
3232	1564	WerFault.exe	90c2c0a3850e702555c86672dfccf87e.exe
3092	1664	WerFault.exe	90c2c0a3850e702555c86672dfccf87e.exe

pid	process
1092	schtasks.exe
3352	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exepowershell.exe90c2c0a3850e702555c86672dfccf87e.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	90c2c0a3850e702555c86672dfccf87e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe90c2c0a3850e702555c86672dfccf87e.exepowershell.exe90c2c0a3850e702555c86672dfccf87e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
3368	powershell.exe
3368	powershell.exe
1564	90c2c0a3850e702555c86672dfccf87e.exe
1564	90c2c0a3850e702555c86672dfccf87e.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
1664	90c2c0a3850e702555c86672dfccf87e.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
3216	powershell.exe
3216	powershell.exe
3216	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
2784	csrss.exe
2784	csrss.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
2784	csrss.exe
2784	csrss.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
2784	csrss.exe
2784	csrss.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe
1592	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exe90c2c0a3850e702555c86672dfccf87e.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1564	90c2c0a3850e702555c86672dfccf87e.exe
Token: SeImpersonatePrivilege	1564	90c2c0a3850e702555c86672dfccf87e.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeSystemEnvironmentPrivilege	2784	csrss.exe
Token: SeSecurityPrivilege	4608	sc.exe
Token: SeSecurityPrivilege	4608	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

90c2c0a3850e702555c86672dfccf87e.exe90c2c0a3850e702555c86672dfccf87e.execmd.execsrss.exewindefender.execmd.exe

description	pid	process	target process
PID 1564 wrote to memory of 3368	1564	90c2c0a3850e702555c86672dfccf87e.exe	Conhost.exe
PID 1564 wrote to memory of 3368	1564	90c2c0a3850e702555c86672dfccf87e.exe	Conhost.exe
PID 1564 wrote to memory of 3368	1564	90c2c0a3850e702555c86672dfccf87e.exe	Conhost.exe
PID 1664 wrote to memory of 2016	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 2016	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 2016	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 1592	1664	90c2c0a3850e702555c86672dfccf87e.exe	injector.exe
PID 1664 wrote to memory of 1592	1664	90c2c0a3850e702555c86672dfccf87e.exe	injector.exe
PID 1592 wrote to memory of 752	1592	cmd.exe	netsh.exe
PID 1592 wrote to memory of 752	1592	cmd.exe	netsh.exe
PID 1664 wrote to memory of 4944	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 4944	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 4944	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 4000	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 4000	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 4000	1664	90c2c0a3850e702555c86672dfccf87e.exe	powershell.exe
PID 1664 wrote to memory of 2784	1664	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 1664 wrote to memory of 2784	1664	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 1664 wrote to memory of 2784	1664	90c2c0a3850e702555c86672dfccf87e.exe	csrss.exe
PID 2784 wrote to memory of 1008	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1008	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1008	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 3216	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 3216	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 3216	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1156	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1156	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1156	2784	csrss.exe	powershell.exe
PID 2784 wrote to memory of 1592	2784	csrss.exe	injector.exe
PID 2784 wrote to memory of 1592	2784	csrss.exe	injector.exe
PID 2120 wrote to memory of 4512	2120	windefender.exe	cmd.exe
PID 2120 wrote to memory of 4512	2120	windefender.exe	cmd.exe
PID 2120 wrote to memory of 4512	2120	windefender.exe	cmd.exe
PID 4512 wrote to memory of 4608	4512	cmd.exe	sc.exe
PID 4512 wrote to memory of 4608	4512	cmd.exe	sc.exe
PID 4512 wrote to memory of 4608	4512	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
"C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
"C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3352

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 652
3⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 956
2⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1564 -ip 1564
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664
1⤵
PID:4816

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2syg5ycq.esw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
32cba14f8dfea31e24728ae8ea60f958

SHA1
9213ebcb50193ca768319e8cabcc6cd512c53ee1

SHA256
a63a3fdc796c341bcf290601277313cc6e61928436bad51f94e995ec83fcd05a

SHA512
38dd596f1c2780b1232b08ef8806644890ddff0739b2f6711f98971732c966061887e7ba8f0ed89dd7c476eb617cf13cf68db4c8b851016b7216d7ae181a2cd2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b5eba14f5cbd3d61bfd970e946d3f917

SHA1
6217cae0ef86a12b7d7e4ded3715fe214f5e0ade

SHA256
943ae6d736663fae008320443d6a16a1e35a0194a2531615e3f73bec3af56ae2

SHA512
cb176b7476ea7822454ab866965831dc522791ff8a073a39469fa35087be3013a02f586c4c0b409b4a8624cfa699d7521432fa28798a3a8c0a25169a5ecaab47

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a66fb3f4fe5849ce2d4dd65d1e4b7edd

SHA1
a53c898641373943d55873f1f898a15677edad8e

SHA256
a7f47a7dc42a478c46df93b0edb84eb65eb761d90cf2706aa15784d79b0f487a

SHA512
2ae96f8ce1f006e04e4a42e244137038c07795a14e9d1ef7710e8245edfbe46e2d1b4011d7b68fc5bc1ed1dda1ac86b7ce14c333eb304cf5b19fa97994b88ec6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
928e8af1bf05c347e2476454c02fb285

SHA1
35972d3375a31b75422976e14e0f904bb31aace0

SHA256
ad1e4fd051445daccb7106f91f3e8a898dd7872fb0835cc6bd7bb7ae66a183ce

SHA512
a832bd75509d4dfbc3289f218863bfd1a8dca66cace47250e08de2eba6e14a7c1b5bc99ef9904b724cfaea804551cc7593f74760cfc33cbda47c3d643b97993b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2cd427c63fae53f8205764031a922d23

SHA1
180288bc957dbb2edc14ff1112ae5767fbc3bf91

SHA256
e9e9c5948a814cb253673f885217a5ad7e38160e2e4fce0a58509ee3c7986427

SHA512
0c9f4df40cc98f5563c2e9d1f9cd397926210a32638adb22d47faa151fcc302bc31561d7728aca788860696cf694662c21c2f5a5f51a2bbf6216a6666fb47e7a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
788KB

MD5
7da0af2e494232be8324f58fb2ee589d

SHA1
0efaa421402ab63b189ebb201b27b8cd04670ea5

SHA256
5239fc678d51f076d2917404feba3a3feab88040dfdc9c9aecb57ac346724e75

SHA512
75294935310425c5a3862c83456720d3c4117685319c6d04c58aa13c57ad6f97876d3dd3b8fc251134821e28eecf1cce23d83bd82031ada2c580325c00462b81

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.1MB

MD5
15c7f048471eafe8ea4e2d05b585359c

SHA1
389d1c2748817dfb9bf8c41e78641c1dfd077386

SHA256
e04977d1578f7ddc69ac488671a62b33f9797d2bf301e0f802df831812629c87

SHA512
c16783cfe1d9cab59b0dc5cc8645955fcdf935e8bea807ebaa3c1bc30c4bd55b851be2d39f86f47a5047c2d818cd4ab6d7c376a4868c992c44950b90910254c4

Download Submit
C:\Windows\windefender.exe
Filesize
1.1MB

MD5
de7305b93feafcd5c3e9ae8102afa19e

SHA1
002b6c585762ce3bff5374f0473092495893aff2

SHA256
a2f0679b1c04150bc6e4601e3a869da0bfb69e9205ed5ea1fd19a2173f89b7aa

SHA512
d6a32cb36d17b7e8186182cc041aafc68585456320ab9cd4aa9b6c35eddae475dbbb9784dbfa6cc1d13188c9ca60c0eca7cff1484a0f2f6a6e0b52b6a1fd4f58

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1564-54-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1564-56-0x0000000003E30000-0x000000000471B000-memory.dmp

Filesize
8.9MB

Download
memory/1564-1-0x0000000003A20000-0x0000000003E23000-memory.dmp

Filesize
4.0MB

Download
memory/1564-2-0x0000000003E30000-0x000000000471B000-memory.dmp

Filesize
8.9MB

Download
memory/1564-3-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1664-123-0x0000000003A20000-0x0000000003E19000-memory.dmp

Filesize
4.0MB

Download
memory/1664-135-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1664-57-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1664-156-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/1664-55-0x0000000003A20000-0x0000000003E19000-memory.dmp

Filesize
4.0MB

Download
memory/1944-272-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1944-268-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2016-72-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

Filesize
64KB

Download
memory/2016-85-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/2016-90-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2016-87-0x00000000078A0000-0x00000000078B4000-memory.dmp

Filesize
80KB

Download
memory/2016-86-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/2016-73-0x0000000070280000-0x00000000702CC000-memory.dmp

Filesize
304KB

Download
memory/2016-84-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2016-74-0x0000000070A20000-0x0000000070D74000-memory.dmp

Filesize
3.3MB

Download
memory/2016-71-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/2016-61-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/2016-58-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2016-59-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2016-60-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/2120-266-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2784-258-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-273-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-275-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-277-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-279-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-269-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-281-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-283-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-267-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-285-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-287-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-289-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/2784-271-0x0000000000400000-0x0000000001E17000-memory.dmp

Filesize
26.1MB

Download
memory/3368-8-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/3368-30-0x0000000070180000-0x00000000701CC000-memory.dmp

Filesize
304KB

Download
memory/3368-44-0x0000000008730000-0x00000000087C6000-memory.dmp

Filesize
600KB

Download
memory/3368-26-0x00000000080B0000-0x000000000872A000-memory.dmp

Filesize
6.5MB

Download
memory/3368-45-0x0000000007F80000-0x0000000007F91000-memory.dmp

Filesize
68KB

Download
memory/3368-46-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

Filesize
56KB

Download
memory/3368-47-0x0000000007FD0000-0x0000000007FE4000-memory.dmp

Filesize
80KB

Download
memory/3368-48-0x0000000008020000-0x000000000803A000-memory.dmp

Filesize
104KB

Download
memory/3368-49-0x0000000008010000-0x0000000008018000-memory.dmp

Filesize
32KB

Download
memory/3368-52-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3368-42-0x0000000007E70000-0x0000000007F13000-memory.dmp

Filesize
652KB

Download
memory/3368-31-0x0000000070300000-0x0000000070654000-memory.dmp

Filesize
3.3MB

Download
memory/3368-27-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/3368-4-0x0000000005240000-0x0000000005276000-memory.dmp

Filesize
216KB

Download
memory/3368-41-0x0000000007E50000-0x0000000007E6E000-memory.dmp

Filesize
120KB

Download
memory/3368-25-0x00000000079B0000-0x0000000007A26000-memory.dmp

Filesize
472KB

Download
memory/3368-24-0x0000000006DF0000-0x0000000006E34000-memory.dmp

Filesize
272KB

Download
memory/3368-6-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/3368-23-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/3368-22-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/3368-21-0x00000000064B0000-0x0000000006804000-memory.dmp

Filesize
3.3MB

Download
memory/3368-16-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/3368-10-0x0000000006030000-0x0000000006096000-memory.dmp

Filesize
408KB

Download
memory/3368-9-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/3368-43-0x0000000007F60000-0x0000000007F6A000-memory.dmp

Filesize
40KB

Download
memory/3368-29-0x0000000007E10000-0x0000000007E42000-memory.dmp

Filesize
200KB

Download
memory/3368-7-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/3368-5-0x00000000742E0000-0x0000000074A90000-memory.dmp

Filesize
7.7MB

Download
memory/3368-28-0x000000007F500000-0x000000007F510000-memory.dmp

Filesize
64KB

Download
memory/4000-124-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4000-137-0x000000007EF80000-0x000000007EF90000-memory.dmp

Filesize
64KB

Download
memory/4000-122-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4000-130-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4944-121-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/4944-93-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4944-94-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4944-119-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4944-118-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4944-108-0x0000000070420000-0x0000000070774000-memory.dmp

Filesize
3.3MB

Download
memory/4944-107-0x0000000070280000-0x00000000702CC000-memory.dmp

Filesize
304KB

Download
memory/4944-106-0x000000007EF10000-0x000000007EF20000-memory.dmp

Filesize
64KB

Download
memory/4944-104-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-92-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download