glupteba | b29b6f1b6a2d7f6d8b63ac749bdc991892970c7e7643221cf6087d75e4f17c41

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.9MB
MD5

a22002306cbbdc52549b8998a7348cfb
SHA1

6396fa71cd6042d915ec3244eb9eea7b11735b65
SHA256

b29b6f1b6a2d7f6d8b63ac749bdc991892970c7e7643221cf6087d75e4f17c41
SHA512

240cb963bfdf51c25b5284daa49f4fb86539dc6b614327fc5f3f5bf3956784974b7beaefe1df67cdf6e414bb86c2581321f44ec9b58eb25735b7d2e4d6cbd6e6
SSDEEP

98304:3bch/RlekYSHAdakJEnHfCVf4Pp1ScWt/cS4HHQTHYuin7owuTALeZN/sa+gGgH9:3Y5u82J8npxWt/cS4nG47n7t/sGgH8rP

Score

10^/10

glupteba stealc discovery dropper evasion loader persistence spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.145

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/2640-44-0x0000000002C60000-0x000000000354B000-memory.dmp	family_glupteba
behavioral1/memory/2640-45-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2640-67-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1940-71-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1940-80-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-104-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-218-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-222-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-230-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-235-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-238-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-241-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-246-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-251-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-275-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-279-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-281-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1896-289-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\453829d01bd822c255d951511849bab8.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	453829d01bd822c255d951511849bab8.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1160	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
2556	InstallSetup10.exe
2640	453829d01bd822c255d951511849bab8.exe
2804	pub1E.exe
2480	syncUpd.exe
1940	453829d01bd822c255d951511849bab8.exe
2216	BroomSetup.exe
1896	csrss.exe
1640	patch.exe
1392	injector.exe

Loads dropped DLL 20 IoCs

pid	Process
2528	file.exe
2528	file.exe
2528	file.exe
2528	file.exe
2556	InstallSetup10.exe
2556	InstallSetup10.exe
2556	InstallSetup10.exe
2556	InstallSetup10.exe
2556	InstallSetup10.exe
1940	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
852	Process not Found
1640	patch.exe
1640	patch.exe
1640	patch.exe
1640	patch.exe
1640	patch.exe
1896	csrss.exe
2480	syncUpd.exe
2480	syncUpd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015c87-58.dat	upx
behavioral1/memory/2216-66-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/files/0x0006000000015c87-65.dat	upx
behavioral1/memory/2216-188-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\453829d01bd822c255d951511849bab8.exe = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	453829d01bd822c255d951511849bab8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	453829d01bd822c255d951511849bab8.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	453829d01bd822c255d951511849bab8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	453829d01bd822c255d951511849bab8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	453829d01bd822c255d951511849bab8.exe
File created	C:\Windows\rss\csrss.exe	453829d01bd822c255d951511849bab8.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240313140806.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000012251-5.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
784	schtasks.exe
1776	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	453829d01bd822c255d951511849bab8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	453829d01bd822c255d951511849bab8.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
1940	453829d01bd822c255d951511849bab8.exe
2480	syncUpd.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe
1392	injector.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	file.exe
Token: SeDebugPrivilege	2804	pub1E.exe
Token: SeDebugPrivilege	2640	453829d01bd822c255d951511849bab8.exe
Token: SeImpersonatePrivilege	2640	453829d01bd822c255d951511849bab8.exe
Token: SeSystemEnvironmentPrivilege	1896	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	BroomSetup.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2556	2528	file.exe	29
PID 2528 wrote to memory of 2640	2528	file.exe	30
PID 2528 wrote to memory of 2640	2528	file.exe	30
PID 2528 wrote to memory of 2640	2528	file.exe	30
PID 2528 wrote to memory of 2640	2528	file.exe	30
PID 2528 wrote to memory of 2804	2528	file.exe	31
PID 2528 wrote to memory of 2804	2528	file.exe	31
PID 2528 wrote to memory of 2804	2528	file.exe	31
PID 2528 wrote to memory of 2804	2528	file.exe	31
PID 2556 wrote to memory of 2480	2556	InstallSetup10.exe	32
PID 2556 wrote to memory of 2480	2556	InstallSetup10.exe	32
PID 2556 wrote to memory of 2480	2556	InstallSetup10.exe	32
PID 2556 wrote to memory of 2480	2556	InstallSetup10.exe	32
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 2556 wrote to memory of 2216	2556	InstallSetup10.exe	38
PID 1940 wrote to memory of 2428	1940	453829d01bd822c255d951511849bab8.exe	40
PID 1940 wrote to memory of 2428	1940	453829d01bd822c255d951511849bab8.exe	40
PID 1940 wrote to memory of 2428	1940	453829d01bd822c255d951511849bab8.exe	40
PID 1940 wrote to memory of 2428	1940	453829d01bd822c255d951511849bab8.exe	40
PID 2428 wrote to memory of 1160	2428	cmd.exe	42
PID 2428 wrote to memory of 1160	2428	cmd.exe	42
PID 2428 wrote to memory of 1160	2428	cmd.exe	42
PID 1940 wrote to memory of 1896	1940	453829d01bd822c255d951511849bab8.exe	43
PID 1940 wrote to memory of 1896	1940	453829d01bd822c255d951511849bab8.exe	43
PID 1940 wrote to memory of 1896	1940	453829d01bd822c255d951511849bab8.exe	43
PID 1940 wrote to memory of 1896	1940	453829d01bd822c255d951511849bab8.exe	43
PID 2216 wrote to memory of 1064	2216	BroomSetup.exe	44
PID 2216 wrote to memory of 1064	2216	BroomSetup.exe	44
PID 2216 wrote to memory of 1064	2216	BroomSetup.exe	44
PID 2216 wrote to memory of 1064	2216	BroomSetup.exe	44
PID 1064 wrote to memory of 1672	1064	cmd.exe	46
PID 1064 wrote to memory of 1672	1064	cmd.exe	46
PID 1064 wrote to memory of 1672	1064	cmd.exe	46
PID 1064 wrote to memory of 1672	1064	cmd.exe	46
PID 1064 wrote to memory of 784	1064	cmd.exe	47
PID 1064 wrote to memory of 784	1064	cmd.exe	47
PID 1064 wrote to memory of 784	1064	cmd.exe	47
PID 1064 wrote to memory of 784	1064	cmd.exe	47
PID 1896 wrote to memory of 1392	1896	csrss.exe	54
PID 1896 wrote to memory of 1392	1896	csrss.exe	54
PID 1896 wrote to memory of 1392	1896	csrss.exe	54
PID 1896 wrote to memory of 1392	1896	csrss.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\InstallSetup10.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup10.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
    C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:784
- C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe
  "C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe
    "C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1160
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1776
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1392
- C:\Users\Admin\AppData\Local\Temp\pub1E.exe
  "C:\Users\Admin\AppData\Local\Temp\pub1E.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240313140806.log C:\Windows\Logs\CBS\CbsPersist_20240313140806.cab
1⤵
- Drops file in Windows directory
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
3.6MB

MD5
9f0d1959d430244b21a1e7291ab2aa21

SHA1
553262378b50d80cda90441acef61fe084d1944a

SHA256
0a530bd370b48d1e3489ce7e9d69bed86238384a9e54c96a58652001410dd248

SHA512
c0c41c0e7ec956a15580cdbd55ee97ae5134f4d145983d6359fec1082ecad0a7eb9c6949b0c43bcc7d862d62eca1361d53a4b599d1d297be58a6da929eda2e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
3.1MB

MD5
0280345cfc5a72d56718a74ebc502718

SHA1
bf432be3ce35b7a53eaaff719422fd0108f5a46e

SHA256
a70fc0c4176c0baa53d7d5b9d0e6e338ec852feacc97e20c64bf6dddf5e19229

SHA512
e4ed07fd0094d370b7f7335ac5c2ef99f1b598e006c3b48251c11379cca93b79b25565dd33ec14a035d6e0c0b9b8b9a04dbde61a8640c47bb32451de907bb1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
4.1MB

MD5
49203862b08ebc3c706bebae1be9c43b

SHA1
51fffb777959955ccde2ca5456a1b6ff5230b95d

SHA256
b12e77896a69c8953cb24500f9eb6660ae306ba6d4c7b814ba12c4ff2b2c9cb7

SHA512
75fa654c4ac67db9fb287cc781f8059774ff695c9d6197c5a00f97401fc57c50a0cde5f212e115cabdfca368585122343fe96fbe0c1edc19630df68cfebe05c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
2.9MB

MD5
e773dd97ad81e96c9aa58e5b9fc32a46

SHA1
508246da1233d2d075c16335452aca6f6bf13bee

SHA256
ae41612138ca21a615ebd1678affe60789df174116e451f4e8d26159facbafee

SHA512
bd5090205ac105befc150d453fd9535812ccc9868a2d375d2529a267d5060411469b77fbe2702aa192cb022fec7c97a8cca3f8b75bedd5341bb86d0e4dbc47e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73AC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7690.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
3.2MB

MD5
f9a8a3b7ce3fc9f70512156fec660df9

SHA1
162266af4670658cd07f38386a3e4b19a4e1f49d

SHA256
26f79454997a60d19fda28d3cea120fbd95f444b41e2fbf916011720555125f7

SHA512
e4d39f9446d447516931532fb7729ff9bf3da37c827e22fc33ce29b03687effe423bae0778fdb63bce9e615231a8406119b0862b6f14236b7490ab0fda68b4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub1E.exe

Filesize
8KB

MD5
08bf7dfea9919ac71d97889b2bee673c

SHA1
e48b2bcebe43b9477f377a2d70f3cb75cd583813

SHA256
da737c0d2b3e011e362325b5c531f8c456f788121221a795990ce85c4fb1ab43

SHA512
71d5596783d5b1dd2f84bf9f508da514734c47d9575f81399ddb4a7e71015fcb7107957f63a6f024024ca76d5b3b9b183a91deb9590cd8e46b2d630bbb9b5680

Download Submit
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

Filesize
200KB

MD5
4daa194c9f29f77b6a97afcc50793020

SHA1
fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f

SHA256
421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e

SHA512
0638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
3.9MB

MD5
267ddcb6c9f4695d300b4f0072cadb02

SHA1
48948d15e53f8b4ebe665218d71adc7ec9d4faff

SHA256
118f9d011dab9fc9ae655baf211d2e29a56fa452b4248ef7b0b31a7b6805e68f

SHA512
921a4fb8cee2b10ef67fd1e4b49aa8198e191d597c83dae89b53e7e2e00591bafcd0ef148519d0810adeb467abe6e0c1f1e5abd9b2a662160d5ea9df96277ed2

Download Submit
\Users\Admin\AppData\Local\Temp\453829d01bd822c255d951511849bab8.exe

Filesize
4.0MB

MD5
f2f772d83210f439df9a6c15a6c691bd

SHA1
a1a525904277f65c31b98a8487705bccfb193fe7

SHA256
35bc016fc9c41d21a744cb240b67d27a43cb86e0875c436e3d5e7d3e8a7cb5a2

SHA512
6d9b0e1320f3ede0aa3655a21cade0f5f490b6364c80447ef07f8dc62632997f13e854235b502b27953bc7e0441e9e5b378bb5e4d91a02bbf38291ce0f313466

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup10.exe

Filesize
1.8MB

MD5
12cfd4de0b77729cba35acd6ab559dad

SHA1
7ee89792a8e7efe3961417f439ece1d5051a106e

SHA256
6c528e4baf911f75d235717225e5c4197ad0178bf731e3702fc3c41edcbd72a0

SHA512
6d2bdc67668330d4eac0e7e79e7057b97913215372a14bf3d6db2db5fb3346a2dfaa9719243cf3d3b81cec06187a53fdcb05b3edc146bbb79ff965add7113967

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F53.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
3.1MB

MD5
6dbb6e81b0c6bb0b6f950feddafeb7ce

SHA1
11b75fefa76a6a6d19106b27b02f280cbf7cb2c8

SHA256
0e20e6f520b3a485011e0b94b4f740920c20dbf9ede4bb1239517d7d92e4062e

SHA512
2988b7da5f189db72f0e92ec3c1ddd7f915bb219ce349ca907aa7c3a3ae46969d0caa10bdc57d55ccd02d857d8612b9255d1490a03370fd8559a2d5e71b18573

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
3.8MB

MD5
de4c2e8e8ba9155a90947f569b1fd5d0

SHA1
17a8d8c5483ce0d5ba3ebc225aa6fa0e50385051

SHA256
4c7952a36d8fc3f59b3b5e9a0c263a9d96d106eb6bb5b433ac16f441eeca4130

SHA512
549503c00d6678a11df0b6309ccb5a0fe02b6e07092cdc72c309f54303c290171f97dd95b7f50b0cce4f4e3e720042660bfc28ee097e1b5facec8e9d366e36d0

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
3.1MB

MD5
c5d7807802889c5dab609b284d99960f

SHA1
47f17059486d0c08ebe706c1a1800ec24f335d46

SHA256
9d1be434374115970b1ecef8abf6c3a73923e2aeb9244ac25b4af4bc7e709bb9

SHA512
d19f47f69f87bb68ba971758552dcfe995b0927fcf7e1d69a2ba38a482f567ab5bed3f06844423de85e6868ea3b1f59f551536f2d2ade025b68c0d5974965e2b

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
memory/1640-126-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1640-113-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1896-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-289-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-281-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-275-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-251-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-101-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/1896-103-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/1896-104-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1896-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1940-88-0x0000000002650000-0x0000000002A48000-memory.dmp

Filesize
4.0MB

Download
memory/1940-80-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1940-71-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1940-70-0x0000000002650000-0x0000000002A48000-memory.dmp

Filesize
4.0MB

Download
memory/1940-69-0x0000000002650000-0x0000000002A48000-memory.dmp

Filesize
4.0MB

Download
memory/2216-219-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-66-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2216-188-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2480-236-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-128-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2480-290-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-189-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2480-255-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-276-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-220-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-47-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2480-229-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-49-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2480-48-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/2528-0-0x00000000012B0000-0x000000000189C000-memory.dmp

Filesize
5.9MB

Download
memory/2528-39-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-2-0x0000000005370000-0x00000000053B0000-memory.dmp

Filesize
256KB

Download
memory/2528-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2640-44-0x0000000002C60000-0x000000000354B000-memory.dmp

Filesize
8.9MB

Download
memory/2640-45-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2640-40-0x0000000002860000-0x0000000002C58000-memory.dmp

Filesize
4.0MB

Download
memory/2640-50-0x0000000002860000-0x0000000002C58000-memory.dmp

Filesize
4.0MB

Download
memory/2640-67-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2804-43-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-38-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2804-46-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/2804-127-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/2804-125-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download