glupteba | 18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6

Analysis

max time kernel
149s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Size

4.1MB
MD5

d58ec40f7f174ef5d8f84e46a67bdb89
SHA1

fc2ffae43a6de0cbdc43dbac3cc66ff358aefb83
SHA256

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6
SHA512

d2696183d5d35e601accc0bc748986089abf4645303e05e71e5d45a71ad4b46aa51cae846d170398ce4b9da417cac4d3b4c842867ef71d18c3914528fa4aeb7d
SSDEEP

98304:laldxVYbeltggr6p7qKtgoJu9O6Qxc6qPeInuZKahKn+3Qg:qxq6ggrt/os9O/WxuFhK+Ag

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1788-2-0x0000000004AA0000-0x000000000538B000-memory.dmp	family_glupteba
behavioral2/memory/1788-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1788-61-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1788-78-0x0000000004AA0000-0x000000000538B000-memory.dmp	family_glupteba
behavioral2/memory/1788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4160-121-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/4160-127-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-203-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-214-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-217-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-220-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-223-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-226-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-229-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-232-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-235-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-238-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-241-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba
behavioral2/memory/1200-244-0x0000000000400000-0x000000000295D000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4808 netsh.exe
Executes dropped EXE 4 IoCs

Processes:

csrss.exeinjector.exewindefender.exewindefender.exe

pid process

1200 csrss.exe
4020 injector.exe
4676 windefender.exe
4424 windefender.exe

pid	process
4808	netsh.exe

pid	process
1200	csrss.exe
4020	injector.exe
4676	windefender.exe
4424	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/4676-207-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4424-211-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4676-212-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4424-215-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4424-221-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exe18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe

Drops file in Windows directory 4 IoCs

Processes:

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
File created	C:\Windows\rss\csrss.exe	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

240 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4064 powershell.exe
3692 powershell.exe
5052 powershell.exe
4272 powershell.exe
4984 powershell.exe
4900 powershell.exe
3144 powershell.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1548 schtasks.exe
32 schtasks.exe

pid	process
240	sc.exe

pid	process
4064	powershell.exe
3692	powershell.exe
5052	powershell.exe
4272	powershell.exe
4984	powershell.exe
4900	powershell.exe
3144	powershell.exe

pid	process
1548	schtasks.exe
32	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exepowershell.exe18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
4272	powershell.exe
4272	powershell.exe
1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4984	powershell.exe
4984	powershell.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
4900	powershell.exe
4900	powershell.exe
3144	powershell.exe
3144	powershell.exe
4064	powershell.exe
4064	powershell.exe
3692	powershell.exe
3692	powershell.exe
5052	powershell.exe
5052	powershell.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
1200	csrss.exe
1200	csrss.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
1200	csrss.exe
1200	csrss.exe
4020	injector.exe
4020	injector.exe
1200	csrss.exe
1200	csrss.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe
4020	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exe18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Token: SeImpersonatePrivilege	1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeSystemEnvironmentPrivilege	1200	csrss.exe
Token: SeSecurityPrivilege	240	sc.exe
Token: SeSecurityPrivilege	240	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.execmd.execsrss.exewindefender.execmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 4272	1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 1788 wrote to memory of 4272	1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 1788 wrote to memory of 4272	1788	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 4984	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 4984	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 4984	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 2212	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	cmd.exe
PID 4160 wrote to memory of 2212	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	cmd.exe
PID 2212 wrote to memory of 4808	2212	cmd.exe	netsh.exe
PID 2212 wrote to memory of 4808	2212	cmd.exe	netsh.exe
PID 4160 wrote to memory of 4900	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 4900	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 4900	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 3144	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 3144	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 3144	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	powershell.exe
PID 4160 wrote to memory of 1200	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	csrss.exe
PID 4160 wrote to memory of 1200	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	csrss.exe
PID 4160 wrote to memory of 1200	4160	18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe	csrss.exe
PID 1200 wrote to memory of 4064	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 4064	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 4064	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 3692	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 3692	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 3692	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 5052	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 5052	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 5052	1200	csrss.exe	powershell.exe
PID 1200 wrote to memory of 4020	1200	csrss.exe	injector.exe
PID 1200 wrote to memory of 4020	1200	csrss.exe	injector.exe
PID 4676 wrote to memory of 4904	4676	windefender.exe	cmd.exe
PID 4676 wrote to memory of 4904	4676	windefender.exe	cmd.exe
PID 4676 wrote to memory of 4904	4676	windefender.exe	cmd.exe
PID 4904 wrote to memory of 240	4904	cmd.exe	sc.exe
PID 4904 wrote to memory of 240	4904	cmd.exe	sc.exe
PID 4904 wrote to memory of 240	4904	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
"C:\Users\Admin\AppData\Local\Temp\18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\AppData\Local\Temp\18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe
"C:\Users\Admin\AppData\Local\Temp\18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:32

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dpyroa2s.ey3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
fe038461c24aeb26981e4c8575c9954a

SHA1
3dab0732f1f631be0d7784e1a72e74b8d7c58540

SHA256
9e2c805dc207840629a03d382330896c15f9c0ce7f292a2d27dcb3f0c0d2a36f

SHA512
144705d51c5d92094ca735c0ea8c40be32867679d45455665c3bdc089e17586ec7c91c591ffff45d06600f1a7595b5ad12d46fb32a79cb34d78f037f91b66c1b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
13b3080e67e098295382703383f805c1

SHA1
88e841e0f15c49a3a79374dc1e256bfe0fda21bd

SHA256
a4dff07f3c5c8169c4adaf76cbe8f8f53f418c3a7c5f6c12dd0344a138da1e6c

SHA512
186fe1ed14ad3a71c6aa0366094130baaca9bda0683e06716191756a0a2a431a3cc085f2fda4f661e9acc47b06342be9b2f4ae348ba6e950e8618e93cb3b7c2d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
d86da8dd3877ea4b9ab06b85be17515d

SHA1
87f915b866197b1528b0acf746e03d74fc4191a6

SHA256
ad0bc16a2e969db1aef073b08b49df9715550c0baa8232f374fc0369e351910b

SHA512
c5e780e088f76bc1da7a8534ecda50261e5b92d0bff356f562ae03a6457a05cbc5dfc76c5d86f3eb7922534dd8256dfe5d6dc29cd4642e5841127e4944d4e1ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
85f33e9dc909143dfe3841c3925996ea

SHA1
1fc83ed45f3dbf132bee18e8ab93ca7ccb0c8b3a

SHA256
edfb91c9d87141354361d17cbe9eeb3c941864e677cfc8a70544648fdf3c7240

SHA512
cc09e49c2bc5ff5e38f2fef673b159d3a5b549eeac0dda1628b55ac5f8dd312f003261c75d9e7299897083be369b580907ec13d48df0f8f378998c29995fd721

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
8c4008a9fcfef3befd19d618e28cd116

SHA1
079c35fd731d3d5965a6bc7637148f7f013cbb83

SHA256
624fbf873753cf9a63c3b19745aab21110367a68f241e09906a7ae297ee48035

SHA512
0462395ccae7df53b2c369dca096d86f0f6d2d7d560d5277692aaedcc78fb72687a2a0dde5e760f9a178ec40aab8b7586e1bf693770f5f27b5b86453371df19d

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
d58ec40f7f174ef5d8f84e46a67bdb89

SHA1
fc2ffae43a6de0cbdc43dbac3cc66ff358aefb83

SHA256
18a56ba77bb796ffd6cba3cd8629085576984841326fbf16d3b2d645bdae61c6

SHA512
d2696183d5d35e601accc0bc748986089abf4645303e05e71e5d45a71ad4b46aa51cae846d170398ce4b9da417cac4d3b4c842867ef71d18c3914528fa4aeb7d

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1200-214-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-229-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-220-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-217-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-238-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-241-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-203-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-232-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-226-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-223-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-235-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1200-244-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1788-78-0x0000000004AA0000-0x000000000538B000-memory.dmp

Filesize
8.9MB

Download
memory/1788-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1788-1-0x0000000004690000-0x0000000004A91000-memory.dmp

Filesize
4.0MB

Download
memory/1788-122-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1788-61-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/1788-2-0x0000000004AA0000-0x000000000538B000-memory.dmp

Filesize
8.9MB

Download
memory/1788-62-0x0000000004690000-0x0000000004A91000-memory.dmp

Filesize
4.0MB

Download
memory/3144-112-0x00000000711A0000-0x00000000714F7000-memory.dmp

Filesize
3.3MB

Download
memory/3144-109-0x0000000006270000-0x00000000065C7000-memory.dmp

Filesize
3.3MB

Download
memory/3144-111-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/3692-174-0x0000000005090000-0x00000000050A5000-memory.dmp

Filesize
84KB

Download
memory/3692-162-0x0000000070F40000-0x0000000070F8C000-memory.dmp

Filesize
304KB

Download
memory/3692-151-0x00000000056E0000-0x0000000005A37000-memory.dmp

Filesize
3.3MB

Download
memory/3692-161-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/3692-172-0x0000000006E70000-0x0000000006F14000-memory.dmp

Filesize
656KB

Download
memory/3692-173-0x00000000071E0000-0x00000000071F1000-memory.dmp

Filesize
68KB

Download
memory/3692-163-0x0000000071190000-0x00000000714E7000-memory.dmp

Filesize
3.3MB

Download
memory/4064-140-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/4064-141-0x0000000071270000-0x00000000715C7000-memory.dmp

Filesize
3.3MB

Download
memory/4160-121-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4160-127-0x0000000000400000-0x000000000295D000-memory.dmp

Filesize
37.4MB

Download
memory/4272-38-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4272-43-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/4272-4-0x0000000074DBE000-0x0000000074DBF000-memory.dmp

Filesize
4KB

Download
memory/4272-5-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/4272-7-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4272-6-0x0000000004F10000-0x000000000553A000-memory.dmp

Filesize
6.2MB

Download
memory/4272-8-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/4272-10-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4272-9-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/4272-20-0x0000000005790000-0x0000000005AE7000-memory.dmp

Filesize
3.3MB

Download
memory/4272-50-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4272-47-0x0000000007310000-0x0000000007318000-memory.dmp

Filesize
32KB

Download
memory/4272-46-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/4272-45-0x00000000072D0000-0x00000000072E5000-memory.dmp

Filesize
84KB

Download
memory/4272-44-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/4272-23-0x00000000061D0000-0x0000000006216000-memory.dmp

Filesize
280KB

Download
memory/4272-42-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/4272-41-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4272-40-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/4272-39-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/4272-37-0x00000000070E0000-0x0000000007184000-memory.dmp

Filesize
656KB

Download
memory/4272-24-0x0000000007060000-0x0000000007094000-memory.dmp

Filesize
208KB

Download
memory/4272-27-0x00000000711B0000-0x0000000071507000-memory.dmp

Filesize
3.3MB

Download
memory/4272-19-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4272-36-0x00000000070C0000-0x00000000070DE000-memory.dmp

Filesize
120KB

Download
memory/4272-21-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/4272-22-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/4272-25-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/4272-26-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4424-215-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4424-221-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4424-211-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4676-212-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4676-207-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4900-90-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/4900-85-0x0000000006240000-0x0000000006597000-memory.dmp

Filesize
3.3MB

Download
memory/4900-91-0x0000000071270000-0x00000000715C7000-memory.dmp

Filesize
3.3MB

Download
memory/4984-60-0x0000000005FA0000-0x00000000062F7000-memory.dmp

Filesize
3.3MB

Download
memory/4984-63-0x0000000071020000-0x000000007106C000-memory.dmp

Filesize
304KB

Download
memory/4984-64-0x00000000711C0000-0x0000000071517000-memory.dmp

Filesize
3.3MB

Download
memory/4984-73-0x0000000007740000-0x00000000077E4000-memory.dmp

Filesize
656KB

Download
memory/4984-74-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/4984-75-0x0000000007AB0000-0x0000000007AC5000-memory.dmp

Filesize
84KB

Download
memory/5052-184-0x0000000006010000-0x0000000006367000-memory.dmp

Filesize
3.3MB

Download
memory/5052-187-0x00000000710C0000-0x0000000071417000-memory.dmp

Filesize
3.3MB

Download
memory/5052-186-0x0000000070F40000-0x0000000070F8C000-memory.dmp

Filesize
304KB

Download