glupteba | 50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
19-05-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Size

4.1MB
MD5

e58d1153bc8172c3df9e53d601aecbaf
SHA1

eb36698471b8f27a30f112b4d813d9d7140b9a70
SHA256

50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e
SHA512

7eae257b03e4957930c2a318b19717f713e079432a5d30d83438d6386e90dca41973031128f7b324e8c00eacf68df23746ff5476a16c8876823c4d521f39e9f7
SSDEEP

98304:IuOdAWE/bfbxbxBimum48oJjLrUZhWcgWy75MTps2CObMUZCzBSS:IuOpIddBi3V8Ojm7gWylM939C3

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral2/memory/1720-2-0x0000000004A60000-0x000000000534B000-memory.dmp	family_glupteba
behavioral2/memory/1720-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1720-126-0x0000000004A60000-0x000000000534B000-memory.dmp	family_glupteba
behavioral2/memory/1720-125-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/1720-194-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4368-193-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-202-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-214-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-218-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-222-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-226-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-230-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-234-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-238-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-242-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-246-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-250-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-254-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba
behavioral2/memory/4468-258-0x0000000000400000-0x000000000273B000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1296	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4468	csrss.exe
4484	injector.exe
2844	windefender.exe
4636	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000002aa37-205.dat	upx
behavioral2/memory/2844-208-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4636-210-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2844-212-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4636-216-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4636-224-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2228	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe
4464	powershell.exe
1456	powershell.exe
2028	powershell.exe
3908	powershell.exe
872	powershell.exe
3956	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe
1040	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	powershell.exe
4464	powershell.exe
1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
1456	powershell.exe
1456	powershell.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
2028	powershell.exe
2028	powershell.exe
3908	powershell.exe
3908	powershell.exe
872	powershell.exe
872	powershell.exe
3956	powershell.exe
3956	powershell.exe
1820	powershell.exe
1820	powershell.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4468	csrss.exe
4468	csrss.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4468	csrss.exe
4468	csrss.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4468	csrss.exe
4468	csrss.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe
4484	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Token: SeImpersonatePrivilege	1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeSystemEnvironmentPrivilege	4468	csrss.exe
Token: SeSecurityPrivilege	2228	sc.exe
Token: SeSecurityPrivilege	2228	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 4464	1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	82
PID 1720 wrote to memory of 4464	1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	82
PID 1720 wrote to memory of 4464	1720	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	82
PID 4368 wrote to memory of 1456	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	88
PID 4368 wrote to memory of 1456	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	88
PID 4368 wrote to memory of 1456	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	88
PID 4368 wrote to memory of 3476	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	90
PID 4368 wrote to memory of 3476	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	90
PID 3476 wrote to memory of 1296	3476	cmd.exe	92
PID 3476 wrote to memory of 1296	3476	cmd.exe	92
PID 4368 wrote to memory of 2028	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	93
PID 4368 wrote to memory of 2028	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	93
PID 4368 wrote to memory of 2028	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	93
PID 4368 wrote to memory of 3908	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	95
PID 4368 wrote to memory of 3908	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	95
PID 4368 wrote to memory of 3908	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	95
PID 4368 wrote to memory of 4468	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	97
PID 4368 wrote to memory of 4468	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	97
PID 4368 wrote to memory of 4468	4368	50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe	97
PID 4468 wrote to memory of 872	4468	csrss.exe	98
PID 4468 wrote to memory of 872	4468	csrss.exe	98
PID 4468 wrote to memory of 872	4468	csrss.exe	98
PID 4468 wrote to memory of 3956	4468	csrss.exe	103
PID 4468 wrote to memory of 3956	4468	csrss.exe	103
PID 4468 wrote to memory of 3956	4468	csrss.exe	103
PID 4468 wrote to memory of 1820	4468	csrss.exe	106
PID 4468 wrote to memory of 1820	4468	csrss.exe	106
PID 4468 wrote to memory of 1820	4468	csrss.exe	106
PID 4468 wrote to memory of 4484	4468	csrss.exe	108
PID 4468 wrote to memory of 4484	4468	csrss.exe	108
PID 2844 wrote to memory of 3144	2844	windefender.exe	114
PID 2844 wrote to memory of 3144	2844	windefender.exe	114
PID 2844 wrote to memory of 3144	2844	windefender.exe	114
PID 3144 wrote to memory of 2228	3144	cmd.exe	115
PID 3144 wrote to memory of 2228	3144	cmd.exe	115
PID 3144 wrote to memory of 2228	3144	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
"C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
  "C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:872
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1040
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4484
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2956
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ausqfy4y.nbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b8b0a3c57b9af7a7995c5a54e1f7b7f9

SHA1
6328c8a06a18b3b27df8959f74e5b9a3a11e9e75

SHA256
375c2f268a9c9b90417323a2999ca5bdf8af965d72d7ae44bcb3246bcd227ea7

SHA512
82786b718c0b4083609cc260634ad63dec1c50b118fad2b72751466e46836fb58818bc89f796c0bd6a03279fd69335d76efbc4492024410d7ef3c48ac624429b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
967a70fa855b326eb88d140de7387891

SHA1
d522be40d0a9625fce5713cca5bbfcb0f9c39538

SHA256
2ea61d2204eefd887de3b3f326763569cebadf2f4560efd91ee18a0ffae1afb3

SHA512
630bd97debe9e5de7426ba55b92c87efc9f5d9d93b0c98661c3b91d8eadc88ef0a9467b1e2bab986d5d57e3ed85ed381c75a5445da7ca5c6a70092fc6b1e80ae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
117b1c2d6c873934b35b940e2af556b4

SHA1
addd9195e3bc248b661696cdb60e056aefd74014

SHA256
6ac5d6daf42986717c198c4fdcd4099d0e87fbdeabd14eb70327cacd5c5d3358

SHA512
0145e8756d4ba4c5671779845d9fa7c8f4628e7392f955d3d1cb2d328ce538cdba92dd59cea335dbb2dfe9b9e41eda41e5329288b925dd2f14af72d7523c5924

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
338e210188fc8e08d2ced15f399eae55

SHA1
b3d58c5bf54176c3e277526fc79b32b3e81640f1

SHA256
1ab67db44570379609e8146b91ea0ed0b3e235a6f088853cfb5002ac3e4b8e36

SHA512
66c3dc0e7056298188d5a011ab8704b4a0ec1fc4d06daa70563c11c1bbcdf49b8ced9f64305aafc4c2020c5b73691144c56d95c9d9354cc1b25c0b6b402fffa1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fff358f324b17f412b27a6f0227d62af

SHA1
ab28c6fe725885cdef6ddd8efbedde72d5943e53

SHA256
071480ae1ae9d3e0102c2ec2ecb4383bfaeadc5bd7ba395097583020da5081a5

SHA512
56cb785a516ca28d9fc5ca9dfe02dbe0f246d36330b0da17d04ce848ad7103f95eb0440b1fe595ce7c63a912cfc26308d6866e792a36cd8a263bdc2cefa834bf

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
e58d1153bc8172c3df9e53d601aecbaf

SHA1
eb36698471b8f27a30f112b4d813d9d7140b9a70

SHA256
50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e

SHA512
7eae257b03e4957930c2a318b19717f713e079432a5d30d83438d6386e90dca41973031128f7b324e8c00eacf68df23746ff5476a16c8876823c4d521f39e9f7

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/872-138-0x0000000071030000-0x0000000071387000-memory.dmp

Filesize
3.3MB

Download
memory/872-137-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/872-127-0x00000000061C0000-0x0000000006517000-memory.dmp

Filesize
3.3MB

Download
memory/1456-73-0x0000000007300000-0x0000000007315000-memory.dmp

Filesize
84KB

Download
memory/1456-72-0x00000000072B0000-0x00000000072C1000-memory.dmp

Filesize
68KB

Download
memory/1456-71-0x0000000006F60000-0x0000000007004000-memory.dmp

Filesize
656KB

Download
memory/1456-62-0x0000000071010000-0x0000000071367000-memory.dmp

Filesize
3.3MB

Download
memory/1456-61-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/1456-60-0x0000000005800000-0x0000000005B57000-memory.dmp

Filesize
3.3MB

Download
memory/1720-87-0x0000000004660000-0x0000000004A5A000-memory.dmp

Filesize
4.0MB

Download
memory/1720-1-0x0000000004660000-0x0000000004A5A000-memory.dmp

Filesize
4.0MB

Download
memory/1720-126-0x0000000004A60000-0x000000000534B000-memory.dmp

Filesize
8.9MB

Download
memory/1720-125-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/1720-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1720-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1720-2-0x0000000004A60000-0x000000000534B000-memory.dmp

Filesize
8.9MB

Download
memory/1820-181-0x0000000005F90000-0x00000000062E7000-memory.dmp

Filesize
3.3MB

Download
memory/1820-184-0x0000000070E80000-0x00000000711D7000-memory.dmp

Filesize
3.3MB

Download
memory/1820-183-0x0000000070D00000-0x0000000070D4C000-memory.dmp

Filesize
304KB

Download
memory/2028-88-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/2028-89-0x0000000070FF0000-0x0000000071347000-memory.dmp

Filesize
3.3MB

Download
memory/2028-85-0x0000000005E30000-0x0000000006187000-memory.dmp

Filesize
3.3MB

Download
memory/2844-212-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2844-208-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3908-107-0x00000000057A0000-0x0000000005AF7000-memory.dmp

Filesize
3.3MB

Download
memory/3908-110-0x0000000070F80000-0x00000000712D7000-memory.dmp

Filesize
3.3MB

Download
memory/3908-109-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/3956-158-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/3956-159-0x0000000070D00000-0x0000000070D4C000-memory.dmp

Filesize
304KB

Download
memory/3956-160-0x0000000070EF0000-0x0000000071247000-memory.dmp

Filesize
3.3MB

Download
memory/3956-169-0x0000000007720000-0x00000000077C4000-memory.dmp

Filesize
656KB

Download
memory/3956-156-0x0000000005F50000-0x00000000062A7000-memory.dmp

Filesize
3.3MB

Download
memory/3956-170-0x0000000007A90000-0x0000000007AA1000-memory.dmp

Filesize
68KB

Download
memory/3956-171-0x00000000062D0000-0x00000000062E5000-memory.dmp

Filesize
84KB

Download
memory/4368-193-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4464-27-0x0000000070F60000-0x00000000712B7000-memory.dmp

Filesize
3.3MB

Download
memory/4464-6-0x0000000005280000-0x00000000058AA000-memory.dmp

Filesize
6.2MB

Download
memory/4464-46-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/4464-26-0x0000000074B70000-0x0000000075321000-memory.dmp

Filesize
7.7MB

Download
memory/4464-24-0x0000000007380000-0x00000000073B4000-memory.dmp

Filesize
208KB

Download
memory/4464-36-0x00000000073E0000-0x00000000073FE000-memory.dmp

Filesize
120KB

Download
memory/4464-25-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

Filesize
304KB

Download
memory/4464-23-0x00000000064E0000-0x0000000006526000-memory.dmp

Filesize
280KB

Download
memory/4464-22-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/4464-21-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/4464-20-0x0000000074B70000-0x0000000075321000-memory.dmp

Filesize
7.7MB

Download
memory/4464-38-0x0000000074B70000-0x0000000075321000-memory.dmp

Filesize
7.7MB

Download
memory/4464-19-0x0000000005B40000-0x0000000005E97000-memory.dmp

Filesize
3.3MB

Download
memory/4464-39-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/4464-41-0x0000000007570000-0x000000000757A000-memory.dmp

Filesize
40KB

Download
memory/4464-40-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/4464-42-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/4464-43-0x0000000007590000-0x00000000075A1000-memory.dmp

Filesize
68KB

Download
memory/4464-44-0x00000000075E0000-0x00000000075EE000-memory.dmp

Filesize
56KB

Download
memory/4464-9-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4464-10-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4464-8-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/4464-7-0x0000000074B70000-0x0000000075321000-memory.dmp

Filesize
7.7MB

Download
memory/4464-37-0x0000000007400000-0x00000000074A4000-memory.dmp

Filesize
656KB

Download
memory/4464-45-0x00000000075F0000-0x0000000007605000-memory.dmp

Filesize
84KB

Download
memory/4464-5-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

Filesize
216KB

Download
memory/4464-47-0x0000000007660000-0x0000000007668000-memory.dmp

Filesize
32KB

Download
memory/4464-4-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/4464-50-0x0000000074B70000-0x0000000075321000-memory.dmp

Filesize
7.7MB

Download
memory/4468-230-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-250-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-214-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-258-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-226-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-222-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-202-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-254-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-218-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-234-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-238-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-242-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4468-246-0x0000000000400000-0x000000000273B000-memory.dmp

Filesize
35.2MB

Download
memory/4636-210-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4636-224-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4636-216-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download