glupteba | ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Size

4.2MB
MD5

74b10c71fe17b2a762fb9e0a6aec356c
SHA1

7d89ac68392ab3ce93902ba2397ea5e18ce78550
SHA256

ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a
SHA512

cfb66059db590fb608b9f607dd1bf54d54e1c031d6cc541d6040ea507f7d6d8a24cc528678c850edade16562a4146f14368e73baa85364fbb147724dca2fd129
SSDEEP

98304:I5lPBaWBrbylaZCxbWq17tgxAPYITosQNEMg2S6aC8AEQ:WjBrYYebWqlbosQ6t6aC1V

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

resource	yara_rule
behavioral1/memory/1536-2-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral1/memory/1536-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1536-55-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1536-56-0x0000000002EF0000-0x00000000037DB000-memory.dmp	family_glupteba
behavioral1/memory/3808-59-0x0000000002E30000-0x000000000371B000-memory.dmp	family_glupteba
behavioral1/memory/3808-60-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3808-108-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3808-121-0x0000000002A20000-0x0000000002E22000-memory.dmp	family_glupteba
behavioral1/memory/3808-137-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3808-159-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-240-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-263-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-274-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-278-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-282-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-286-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-290-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-294-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-298-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4304-302-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1596	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4304	csrss.exe
5116	injector.exe
1816	windefender.exe
1576	windefender.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000021cfa-266.dat	upx
behavioral1/memory/1816-271-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1576-277-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1576-283-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
File created	C:\Windows\rss\csrss.exe	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2908	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3964	schtasks.exe
2608	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	powershell.exe
396	powershell.exe
1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
2100	powershell.exe
2100	powershell.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
4816	powershell.exe
4816	powershell.exe
1064	powershell.exe
1064	powershell.exe
396	powershell.exe
396	powershell.exe
2064	powershell.exe
2064	powershell.exe
4804	powershell.exe
4804	powershell.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
4304	csrss.exe
4304	csrss.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
4304	csrss.exe
4304	csrss.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
4304	csrss.exe
4304	csrss.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe
5116	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Token: SeImpersonatePrivilege	1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeSystemEnvironmentPrivilege	4304	csrss.exe
Token: SeSecurityPrivilege	2908	sc.exe
Token: SeSecurityPrivilege	2908	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 396	1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	87
PID 1536 wrote to memory of 396	1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	87
PID 1536 wrote to memory of 396	1536	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	87
PID 3808 wrote to memory of 2100	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	95
PID 3808 wrote to memory of 2100	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	95
PID 3808 wrote to memory of 2100	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	95
PID 3808 wrote to memory of 4292	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	97
PID 3808 wrote to memory of 4292	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	97
PID 4292 wrote to memory of 1596	4292	cmd.exe	99
PID 4292 wrote to memory of 1596	4292	cmd.exe	99
PID 3808 wrote to memory of 4816	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	100
PID 3808 wrote to memory of 4816	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	100
PID 3808 wrote to memory of 4816	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	100
PID 3808 wrote to memory of 1064	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	103
PID 3808 wrote to memory of 1064	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	103
PID 3808 wrote to memory of 1064	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	103
PID 3808 wrote to memory of 4304	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	105
PID 3808 wrote to memory of 4304	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	105
PID 3808 wrote to memory of 4304	3808	ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe	105
PID 4304 wrote to memory of 396	4304	csrss.exe	106
PID 4304 wrote to memory of 396	4304	csrss.exe	106
PID 4304 wrote to memory of 396	4304	csrss.exe	106
PID 4304 wrote to memory of 2064	4304	csrss.exe	112
PID 4304 wrote to memory of 2064	4304	csrss.exe	112
PID 4304 wrote to memory of 2064	4304	csrss.exe	112
PID 4304 wrote to memory of 4804	4304	csrss.exe	114
PID 4304 wrote to memory of 4804	4304	csrss.exe	114
PID 4304 wrote to memory of 4804	4304	csrss.exe	114
PID 4304 wrote to memory of 5116	4304	csrss.exe	116
PID 4304 wrote to memory of 5116	4304	csrss.exe	116
PID 1816 wrote to memory of 3460	1816	windefender.exe	122
PID 1816 wrote to memory of 3460	1816	windefender.exe	122
PID 1816 wrote to memory of 3460	1816	windefender.exe	122
PID 3460 wrote to memory of 2908	3460	cmd.exe	123
PID 3460 wrote to memory of 2908	3460	cmd.exe	123
PID 3460 wrote to memory of 2908	3460	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
"C:\Users\Admin\AppData\Local\Temp\ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Users\Admin\AppData\Local\Temp\ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe
  "C:\Users\Admin\AppData\Local\Temp\ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3964
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5116
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2608
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cylzb1be.zl4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e38cf80ccd733d12acd8ed657fa76a0f

SHA1
580e49e1b482dcf0480cefe6d5bf8f0331732296

SHA256
47996c1354ee704ef75a94ae2217033da52695ca164573023cda951bdec728be

SHA512
ed7056b56d6cd0fd42f9bb716c647ed21f988231aa0817f28be7fceab199a274a479af4e7b77b86ed298b6734b39c2e6714d46bd6bd408d9862a77d97013bc12

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5bf75eec7236efd38adaaf4e2db86813

SHA1
0ee74d3e8c89b3b2dbede5e13fb9aa8252b0ee53

SHA256
37482b8d142bfe776c36bfdb338ad1ac103d2996a9c06bc6351541598ad3de93

SHA512
ba034d081152b8a0b49a7aa361bfe622d23bbafa51b52d0947b58c41e6c140cd76738d8bb45bbc25c5518b9e35a4d03f425131f7121a2e75147856f482caef2e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4c3a19c8464545100087fd04a12e6552

SHA1
e58d4b32bf14e01267fae45e8ef0031702d9a96d

SHA256
15f888827dbc7174856c8e5fedb26764da57b493009f3dc57bb727b2d040b500

SHA512
73640aac06cab98d7c2c3459d8cc1d8886f917f2607e666bc26620c5403eb5229cf933d50c4116612030a489657ca398d33906b318b3402b8bc1853eb548aa4e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
395fa7333ff6961e9d27040b3121518c

SHA1
c887a307366b75c77604f9e95c46b4fa4eccc896

SHA256
4f5b22735594eb8741aa8f03ce543757f90a3402c750ea04011502f296c72936

SHA512
45e9c00f3782fd8c99d45e5389b838caa4f933e2368209fa7878c14472a3cd702b50d72927a4cb4df6699bc3044ec455bde4c1bc9391725fadc4f55a4f5ed8ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
98a16c9dec9e9f7c30e83d868c31e73e

SHA1
c22fc587eb4d3d3f62928e76869fb87b750dc7d8

SHA256
d441baaaadcd16927ed16f1f8b1c62604deb7566f222235040607139a9d07612

SHA512
41ab10361a8285e04ced227d325aa55881dd0ac07aef46832dbfed4c3b6732de696bac63379b6301c80316ad6da9aee84303b9d20e126c9bc98f1f2910559326

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
35ac2df239e42413c8c65e8eec7ebb95

SHA1
b9ecc00089ae74fdb23e54fb9586a76c25583edf

SHA256
dfaa20b1a5c03a4870a8cc493df96bb312a9536eeeebbc554f01dcd36fd77698

SHA512
557400554fdeeba478426d0c8768f7b5c901fc08a33aa8f28b91983e7903fe2a10825010fb154164aa940fc9fe60e5390b50a87c33798c8ba8652501d056a152

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
74b10c71fe17b2a762fb9e0a6aec356c

SHA1
7d89ac68392ab3ce93902ba2397ea5e18ce78550

SHA256
ec4bf36843e75db46bf446341b9b628cf5b92d64908602994c0388a509afca3a

SHA512
cfb66059db590fb608b9f607dd1bf54d54e1c031d6cc541d6040ea507f7d6d8a24cc528678c850edade16562a4146f14368e73baa85364fbb147724dca2fd129

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/396-27-0x000000007F460000-0x000000007F470000-memory.dmp

Filesize
64KB

Download
memory/396-43-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

Filesize
40KB

Download
memory/396-21-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/396-22-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/396-23-0x0000000006D80000-0x0000000006DC4000-memory.dmp

Filesize
272KB

Download
memory/396-24-0x0000000007B20000-0x0000000007B96000-memory.dmp

Filesize
472KB

Download
memory/396-25-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/396-26-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/396-10-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/396-28-0x0000000007D60000-0x0000000007D92000-memory.dmp

Filesize
200KB

Download
memory/396-29-0x00000000702D0000-0x000000007031C000-memory.dmp

Filesize
304KB

Download
memory/396-30-0x0000000070680000-0x00000000709D4000-memory.dmp

Filesize
3.3MB

Download
memory/396-41-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/396-40-0x0000000007DA0000-0x0000000007DBE000-memory.dmp

Filesize
120KB

Download
memory/396-42-0x0000000007DC0000-0x0000000007E63000-memory.dmp

Filesize
652KB

Download
memory/396-20-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/396-44-0x0000000007FC0000-0x0000000008056000-memory.dmp

Filesize
600KB

Download
memory/396-45-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/396-46-0x0000000007F00000-0x0000000007F0E000-memory.dmp

Filesize
56KB

Download
memory/396-47-0x0000000007F20000-0x0000000007F34000-memory.dmp

Filesize
80KB

Download
memory/396-48-0x0000000007F70000-0x0000000007F8A000-memory.dmp

Filesize
104KB

Download
memory/396-49-0x0000000007F60000-0x0000000007F68000-memory.dmp

Filesize
32KB

Download
memory/396-52-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/396-9-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/396-8-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/396-7-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/396-6-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/396-4-0x0000000003200000-0x0000000003236000-memory.dmp

Filesize
216KB

Download
memory/396-5-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1064-138-0x00000000702D0000-0x000000007031C000-memory.dmp

Filesize
304KB

Download
memory/1064-126-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/1064-140-0x0000000070450000-0x00000000707A4000-memory.dmp

Filesize
3.3MB

Download
memory/1064-139-0x000000007F660000-0x000000007F670000-memory.dmp

Filesize
64KB

Download
memory/1064-125-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1536-1-0x0000000002AF0000-0x0000000002EEB000-memory.dmp

Filesize
4.0MB

Download
memory/1536-54-0x0000000002AF0000-0x0000000002EEB000-memory.dmp

Filesize
4.0MB

Download
memory/1536-56-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/1536-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1536-2-0x0000000002EF0000-0x00000000037DB000-memory.dmp

Filesize
8.9MB

Download
memory/1576-277-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1576-283-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1816-271-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2100-88-0x0000000007B20000-0x0000000007B31000-memory.dmp

Filesize
68KB

Download
memory/2100-86-0x00000000077F0000-0x0000000007893000-memory.dmp

Filesize
652KB

Download
memory/2100-63-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2100-73-0x00000000061C0000-0x0000000006514000-memory.dmp

Filesize
3.3MB

Download
memory/2100-92-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2100-89-0x0000000007B70000-0x0000000007B84000-memory.dmp

Filesize
80KB

Download
memory/2100-62-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2100-74-0x000000007F950000-0x000000007F960000-memory.dmp

Filesize
64KB

Download
memory/2100-87-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2100-61-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2100-76-0x0000000070320000-0x0000000070674000-memory.dmp

Filesize
3.3MB

Download
memory/2100-75-0x00000000702D0000-0x000000007031C000-memory.dmp

Filesize
304KB

Download
memory/3808-59-0x0000000002E30000-0x000000000371B000-memory.dmp

Filesize
8.9MB

Download
memory/3808-137-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3808-121-0x0000000002A20000-0x0000000002E22000-memory.dmp

Filesize
4.0MB

Download
memory/3808-108-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3808-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3808-58-0x0000000002A20000-0x0000000002E22000-memory.dmp

Filesize
4.0MB

Download
memory/3808-159-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-286-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-302-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-298-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-290-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-274-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4304-278-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4816-95-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/4816-105-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/4816-94-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-124-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4816-109-0x00000000702D0000-0x000000007031C000-memory.dmp

Filesize
304KB

Download
memory/4816-111-0x0000000070450000-0x00000000707A4000-memory.dmp

Filesize
3.3MB

Download
memory/4816-110-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

Filesize
64KB

Download
memory/4816-122-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download