Malware Analysis Report

2025-08-05 12:18

Sample ID 240419-x3y6fadc39
Target f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6
SHA256 f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6
Tags
glupteba dropper evasion loader upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6

Threat Level: Known bad

The file f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6 was found to be: Known bad.

Malicious Activity Summary

glupteba dropper evasion loader upx

Glupteba

Glupteba payload

Modifies Windows Firewall

UPX packed file

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-19 19:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:25

Platform

win11-20240412-en

Max time kernel

10s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4216 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\system32\cmd.exe
PID 4324 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5060 wrote to memory of 3136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4324 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2440

C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 269b296e-75fb-4e8a-b784-dbc01b21ff25.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.databaseupgrade.ru udp
BG 185.82.216.108:443 server12.databaseupgrade.ru tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server12.databaseupgrade.ru tcp
BG 185.82.216.108:443 server12.databaseupgrade.ru tcp

Files

memory/4216-1-0x0000000003E00000-0x0000000004200000-memory.dmp

memory/4216-2-0x0000000004200000-0x0000000004AEB000-memory.dmp

memory/4216-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3548-4-0x0000000002F10000-0x0000000002F46000-memory.dmp

memory/3548-5-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/3548-6-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/3548-7-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/3548-8-0x00000000057F0000-0x0000000005E1A000-memory.dmp

memory/3548-9-0x0000000005530000-0x0000000005552000-memory.dmp

memory/3548-10-0x0000000005E20000-0x0000000005E86000-memory.dmp

memory/3548-13-0x0000000005E90000-0x0000000005EF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dn0t3h2p.x1h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3548-20-0x0000000005F00000-0x0000000006257000-memory.dmp

memory/3548-21-0x00000000063E0000-0x00000000063FE000-memory.dmp

memory/3548-22-0x0000000006410000-0x000000000645C000-memory.dmp

memory/3548-23-0x00000000067D0000-0x0000000006816000-memory.dmp

memory/3548-24-0x000000007FD60000-0x000000007FD70000-memory.dmp

memory/3548-26-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/3548-36-0x0000000007820000-0x000000000783E000-memory.dmp

memory/3548-37-0x0000000007840000-0x00000000078E4000-memory.dmp

memory/3548-27-0x0000000070640000-0x0000000070997000-memory.dmp

memory/3548-25-0x00000000077C0000-0x00000000077F4000-memory.dmp

memory/3548-38-0x0000000007FB0000-0x000000000862A000-memory.dmp

memory/3548-39-0x0000000007970000-0x000000000798A000-memory.dmp

memory/3548-40-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/3548-41-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/4324-43-0x0000000003C60000-0x0000000004066000-memory.dmp

memory/4324-44-0x0000000004070000-0x000000000495B000-memory.dmp

memory/4324-45-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4216-48-0x0000000003E00000-0x0000000004200000-memory.dmp

memory/4332-47-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4332-46-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4332-58-0x0000000005D20000-0x0000000006077000-memory.dmp

memory/4332-57-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/4332-59-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/4332-60-0x0000000070E00000-0x0000000071157000-memory.dmp

memory/4332-71-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4332-70-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/4332-69-0x00000000073A0000-0x0000000007444000-memory.dmp

memory/4332-72-0x00000000077A0000-0x0000000007836000-memory.dmp

memory/4332-73-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/4332-74-0x0000000007700000-0x000000000770E000-memory.dmp

memory/4332-75-0x0000000007710000-0x0000000007725000-memory.dmp

memory/4332-76-0x0000000007750000-0x000000000776A000-memory.dmp

memory/4332-77-0x0000000007770000-0x0000000007778000-memory.dmp

memory/4332-80-0x0000000074250000-0x0000000074A01000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fb359dfcf37031f3bb927aaa7edf3ec1
SHA1 bd7ab54fe9f904052a7bfc2a342712b39ff0d6fe
SHA256 db729b25ddf0278ba65770c5dcf6cd0f28f532bdbd1943fe0766445ec08ea796
SHA512 a6f76d3e56ace2d60dce355fbf606c83668b6eb2a6116e9826524c2b21947580f15c7385bf70330bfd8b86da83fe08929d06b8cd8c09e81bbbbb69632c45fdc8

memory/4636-92-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/4636-94-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/4636-93-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/4216-90-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4636-96-0x0000000070640000-0x0000000070997000-memory.dmp

memory/4636-95-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/4636-107-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/4636-106-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/4636-109-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/3320-110-0x0000000074250000-0x0000000074A01000-memory.dmp

memory/4324-111-0x0000000003C60000-0x0000000004066000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 227009207df95f563b12d6e087c29a1f
SHA1 0cbd7d6769cf669b9f896966834b8812ceea302f
SHA256 aceb1c10d64aa64ac94e68c836687f8ca5199c04ed85a997c0ac1bbf59a2924e
SHA512 c12c1b6ec85784b2d823f5b4a2f12a922a9cf8195038e853b8335220a3f6c609028008e59325442c6dd7a7946a3503a40c5524d6a81a8dc415376346f6cbb2c8

memory/3320-122-0x0000000070640000-0x0000000070997000-memory.dmp

memory/3320-121-0x00000000704C0000-0x000000007050C000-memory.dmp

memory/3320-132-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

memory/4324-131-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/3320-133-0x0000000005350000-0x0000000005360000-memory.dmp

memory/3320-135-0x0000000074250000-0x0000000074A01000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0796ac200d1f3642b598d14cf31606a1
SHA1 149e9647d003952a2b1a001c1510167158022cea
SHA256 f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6
SHA512 bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5

memory/792-141-0x0000000004200000-0x0000000004600000-memory.dmp

memory/792-142-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ac068a1ffcd9149ce887695a1f451d5a
SHA1 97a8514e279c688a20032d493b2d15482287289c
SHA256 53222baec25fd586f59d1086298102f3175d7b9fca15e7e96cb72186ddd87caf
SHA512 62915b79b1afb3cc1adf3be73a993d86bafcd958932486e6f991cbccca3e31b5869b8d1c51b659a370d43007ec544fb62acf6858cd7ca568c60a7574e9588c9a

memory/4324-169-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7e18c7528e98a2950b0a44e47033c4ad
SHA1 9491b0812d116c7534b72d05a894b852965a750f
SHA256 a6b16796fc2f46d22bea6833031a88a9eb1b2437029fa2ddc1f3c0cb67b1f1a0
SHA512 7e682877aec2d1997dbd0976f760462edfc6d83ac3784fd28012def0978c03c56bb60551a6a4a1df4d9959ad8aac46bda3ef011fc76a6158c127c232dc682055

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bcbd091bec5ac7be696f93bd988f1ed4
SHA1 c9345bb8851835ce6e5532751dee8384335eded0
SHA256 d85e0449bd5309a9eaa10b6aff2b5e5c482a9a240c235955907c5544bb0d9ce7
SHA512 9377b090522dfcc37e766504269d30ae71503f42540400e311c6179d12666830d20d9759e84588f4941060893dec3d04a52ae10c3b50cd2bfc60b299f99e6939

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/792-236-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2072-244-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/792-247-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2440-250-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/792-251-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-255-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2440-258-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/792-260-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-264-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-268-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-272-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-279-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-283-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-287-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/792-291-0x0000000000400000-0x0000000001E08000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-19 19:23

Reported

2024-04-19 19:25

Platform

win10v2004-20240412-en

Max time kernel

12s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\system32\cmd.exe
PID 4104 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2680 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4104 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe

"C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 c94e8275-965d-432c-b014-7cfc857f3b21.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server1.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 stun2.l.google.com udp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1672-1-0x0000000003CC0000-0x00000000040BB000-memory.dmp

memory/1672-2-0x00000000040C0000-0x00000000049AB000-memory.dmp

memory/1672-3-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4980-4-0x0000000005150000-0x0000000005186000-memory.dmp

memory/4980-5-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/4980-6-0x0000000003110000-0x0000000003120000-memory.dmp

memory/4980-7-0x0000000003110000-0x0000000003120000-memory.dmp

memory/4980-8-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/4980-9-0x0000000005710000-0x0000000005732000-memory.dmp

memory/4980-10-0x0000000005EF0000-0x0000000005F56000-memory.dmp

memory/4980-11-0x0000000005F60000-0x0000000005FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hx0ilhtq.02x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4980-21-0x0000000006310000-0x0000000006664000-memory.dmp

memory/4980-22-0x0000000006700000-0x000000000671E000-memory.dmp

memory/4980-23-0x0000000006740000-0x000000000678C000-memory.dmp

memory/4980-24-0x0000000006C90000-0x0000000006CD4000-memory.dmp

memory/4980-25-0x0000000007A20000-0x0000000007A96000-memory.dmp

memory/4980-27-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/4980-26-0x0000000008120000-0x000000000879A000-memory.dmp

memory/4980-28-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

memory/4980-31-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/4980-42-0x0000000003110000-0x0000000003120000-memory.dmp

memory/4980-43-0x0000000007CE0000-0x0000000007D83000-memory.dmp

memory/4980-41-0x0000000007CC0000-0x0000000007CDE000-memory.dmp

memory/4980-30-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4980-29-0x0000000007C80000-0x0000000007CB2000-memory.dmp

memory/4980-44-0x0000000007DD0000-0x0000000007DDA000-memory.dmp

memory/4980-45-0x0000000007E90000-0x0000000007F26000-memory.dmp

memory/4980-46-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/4980-47-0x0000000007E30000-0x0000000007E3E000-memory.dmp

memory/4980-48-0x0000000007E40000-0x0000000007E54000-memory.dmp

memory/4980-50-0x0000000007E80000-0x0000000007E88000-memory.dmp

memory/4980-49-0x0000000007F30000-0x0000000007F4A000-memory.dmp

memory/4980-53-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/4104-55-0x0000000003BF0000-0x0000000003FE9000-memory.dmp

memory/1672-56-0x0000000003CC0000-0x00000000040BB000-memory.dmp

memory/4104-57-0x0000000003FF0000-0x00000000048DB000-memory.dmp

memory/4104-58-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1440-59-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1440-60-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/1440-70-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/1440-71-0x0000000070CA0000-0x0000000070FF4000-memory.dmp

memory/1672-82-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/1440-81-0x0000000006D50000-0x0000000006DF3000-memory.dmp

memory/1440-84-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/1440-83-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/1440-85-0x0000000007080000-0x0000000007091000-memory.dmp

memory/1440-86-0x00000000070D0000-0x00000000070E4000-memory.dmp

memory/1440-89-0x0000000074C80000-0x0000000075430000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1272-92-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/1272-103-0x00000000063D0000-0x0000000006724000-memory.dmp

memory/1272-104-0x0000000005560000-0x0000000005570000-memory.dmp

memory/1272-102-0x0000000005560000-0x0000000005570000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22d4f368f1bb41ba795b964af88e71cf
SHA1 12ae06d7aeee4cc6c21d208c0a740dcb8604896f
SHA256 52c70987c803730ee047f0db687471b03b90b7f63d4752071ddb9221e1e2101d
SHA512 a3d9c100e2a86759a9b966bf93e58ba6d0367ed25d39407293a13772de9e424aa499a99e94bb953cc4118fc23d3725e88b3b70625fed88341765f32a4c4703ef

memory/1272-106-0x000000007F700000-0x000000007F710000-memory.dmp

memory/1272-108-0x00000000712D0000-0x0000000071624000-memory.dmp

memory/1272-120-0x0000000005560000-0x0000000005570000-memory.dmp

memory/1272-119-0x0000000005560000-0x0000000005570000-memory.dmp

memory/4104-118-0x0000000003BF0000-0x0000000003FE9000-memory.dmp

memory/1272-107-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/1272-122-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/2492-124-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/2492-123-0x0000000074C80000-0x0000000075430000-memory.dmp

memory/2492-125-0x0000000005BE0000-0x0000000005F34000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8db52f59e4e3a6689f426ea306bfb228
SHA1 4d7ddde94ca06302716b3f6a282744d8bd7db8e3
SHA256 61267d8f8d67d7c13aeda9921a26b76717e89933d2c674d1366390ef55cbe598
SHA512 b869ded8a080700e0abf8342fa991180abd4f5fad6191a62220238a96d5b8e1deede11c8289fa504f8b882603e5b3f48795effd0a1789520f7b029a51acc352d

memory/2492-137-0x00000000712A0000-0x00000000715F4000-memory.dmp

memory/2492-136-0x0000000070B20000-0x0000000070B6C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0796ac200d1f3642b598d14cf31606a1
SHA1 149e9647d003952a2b1a001c1510167158022cea
SHA256 f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6
SHA512 bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5

memory/4104-157-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57d0307b083b4346b5a6db37b80eb11e
SHA1 80aadb4a6add989f5c112b746d2c3e297296ec33
SHA256 1d9fa9b6b89f2496fab006f80673d999efd7e7635877d931d738c56ee2209f64
SHA512 f9630d06a86e1ff80131cf86ad25f09715eeb55988733685d09ab5ffc825153b9ccb1c6b82aa7ee5dd66a5158513e3b1da25916ad2363f6ffd7a3e643f2a7a7b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b53f458dd5f927145710b7329d499885
SHA1 11d80370115425770acffd3663f16d11b1a5c905
SHA256 e7c0dc0599038668b540911e06ebe002aa0d991146cc4e0e93d1932725326814
SHA512 13923aa15561977202e1c0d3b05fbf8d3febd994eba6d441577e7767e53af97d9f42573eee8ac12d83e4ee1bd370664f572241d9274d2d6a89ed6b73d2703828

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b9158e689cc8351463949bab0defd447
SHA1 b6792c6d2b21774383a1b802e96b03e15f31b1e5
SHA256 07f17763960940f7eaa9c344066746949bfd4c1ae534ff2c096cb754b0d77c77
SHA512 4f952db2d0b094e1b847650033f051112a991ccf577fb3675d4e0420a1c6a1e619bad225428ebf9eb4126b9f8724274a7ed1dd3995fec3ee2dbc7374296edeaa

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4468-253-0x0000000000400000-0x0000000001E08000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4540-261-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-263-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2248-265-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-266-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-269-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/2248-271-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4468-272-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-275-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-278-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-281-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-284-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-287-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-290-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-293-0x0000000000400000-0x0000000001E08000-memory.dmp

memory/4468-296-0x0000000000400000-0x0000000001E08000-memory.dmp