glupteba | 5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
19-05-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Size

4.1MB
MD5

869365e1a5d0f9606c0e19e69653c355
SHA1

40199e076c603c24dd4e6980f5f461bc33070f34
SHA256

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036
SHA512

a0b776c009b6012eb4ae83b24d7f628cd57fe815758118daaa9ddff9fe3292fb6c25fc0271815517b084305a97072b9f93292adb8491d63322da019d91f70d35
SSDEEP

98304:BvHfbigA34ifkpJZQU0TgaIfW6UkFHwAhDtgwFW+1L:BvHfb2IifudqhIuUHwAjW+5

Score

10^/10

glupteba discovery dropper evasion execution loader persistence rootkit upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1932-2-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/1932-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1932-99-0x00000000049D0000-0x00000000052BB000-memory.dmp	family_glupteba
behavioral2/memory/1932-97-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/1228-124-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/1932-136-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2900-201-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-212-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-215-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-218-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-221-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-224-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-227-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-230-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-233-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-236-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-239-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-242-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/2900-245-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
416	netsh.exe

Executes dropped EXE 4 IoCs

Processes:

csrss.exeinjector.exewindefender.exewindefender.exe

pid	Process
2900	csrss.exe
2128	injector.exe
3600	windefender.exe
4212	windefender.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000200000002aa2a-204.dat	upx
behavioral2/memory/3600-205-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4212-208-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3600-210-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4212-214-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4212-219-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.execsrss.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

Processes:

csrss.exe

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe

Drops file in Windows directory 4 IoCs

Processes:

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.execsrss.exe

description	ioc	Process
File opened for modification	C:\Windows\rss	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
File created	C:\Windows\rss\csrss.exe	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
3616	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4936	powershell.exe
1000	powershell.exe
3756	powershell.exe
4020	powershell.exe
3764	powershell.exe
1044	powershell.exe
5084	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
2008	schtasks.exe
3704	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3141 = "South Sudan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exepowershell.exe5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	Process
3764	powershell.exe
3764	powershell.exe
1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1044	powershell.exe
1044	powershell.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
5084	powershell.exe
5084	powershell.exe
4936	powershell.exe
4936	powershell.exe
1000	powershell.exe
1000	powershell.exe
3756	powershell.exe
3756	powershell.exe
4020	powershell.exe
4020	powershell.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2900	csrss.exe
2900	csrss.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2900	csrss.exe
2900	csrss.exe
2128	injector.exe
2128	injector.exe
2900	csrss.exe
2900	csrss.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe
2128	injector.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exe5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	Process
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Token: SeImpersonatePrivilege	1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	2900	csrss.exe
Token: SeSecurityPrivilege	3616	sc.exe
Token: SeSecurityPrivilege	3616	sc.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.execmd.execsrss.exewindefender.execmd.exe

description	pid	Process	procid_target
PID 1932 wrote to memory of 3764	1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	82
PID 1932 wrote to memory of 3764	1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	82
PID 1932 wrote to memory of 3764	1932	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	82
PID 1228 wrote to memory of 1044	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	87
PID 1228 wrote to memory of 1044	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	87
PID 1228 wrote to memory of 1044	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	87
PID 1228 wrote to memory of 1856	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	89
PID 1228 wrote to memory of 1856	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	89
PID 1856 wrote to memory of 416	1856	cmd.exe	91
PID 1856 wrote to memory of 416	1856	cmd.exe	91
PID 1228 wrote to memory of 5084	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	92
PID 1228 wrote to memory of 5084	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	92
PID 1228 wrote to memory of 5084	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	92
PID 1228 wrote to memory of 4936	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	94
PID 1228 wrote to memory of 4936	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	94
PID 1228 wrote to memory of 4936	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	94
PID 1228 wrote to memory of 2900	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	96
PID 1228 wrote to memory of 2900	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	96
PID 1228 wrote to memory of 2900	1228	5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe	96
PID 2900 wrote to memory of 1000	2900	csrss.exe	97
PID 2900 wrote to memory of 1000	2900	csrss.exe	97
PID 2900 wrote to memory of 1000	2900	csrss.exe	97
PID 2900 wrote to memory of 3756	2900	csrss.exe	103
PID 2900 wrote to memory of 3756	2900	csrss.exe	103
PID 2900 wrote to memory of 3756	2900	csrss.exe	103
PID 2900 wrote to memory of 4020	2900	csrss.exe	105
PID 2900 wrote to memory of 4020	2900	csrss.exe	105
PID 2900 wrote to memory of 4020	2900	csrss.exe	105
PID 2900 wrote to memory of 2128	2900	csrss.exe	107
PID 2900 wrote to memory of 2128	2900	csrss.exe	107
PID 3600 wrote to memory of 2004	3600	windefender.exe	113
PID 3600 wrote to memory of 2004	3600	windefender.exe	113
PID 3600 wrote to memory of 2004	3600	windefender.exe	113
PID 2004 wrote to memory of 3616	2004	cmd.exe	114
PID 2004 wrote to memory of 3616	2004	cmd.exe	114
PID 2004 wrote to memory of 3616	2004	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
"C:\Users\Admin\AppData\Local\Temp\5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe
  "C:\Users\Admin\AppData\Local\Temp\5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Manipulates WinMonFS driver.
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2008
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2128
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3704
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bw0lxkdf.g4r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
68035a9428bf4b257410abd142e40c8d

SHA1
1fb139952c58629925848b9bb76889aad2eb2b69

SHA256
4aad66c7255b448dd682f59cd282d228d4a5d413758a6def7fca4a5086463884

SHA512
2150acb187a84f7ccc03069123c57f9abfac20c42b9eeb09eda813c1220686f06cdfa5f175c5c9c1ac5e5a8b6463916f28e47d008a78272e6b42579cde21e09c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d82d5c2698d505fc0fd146cfc7772323

SHA1
be832fc6d5839a1f0b830a5ecde20dfd6e76a3c4

SHA256
afaf237c0c63d110b965cad651291534dd1e737afc6a1cb80096660dc0d65238

SHA512
bb32074d8071e82be64d29366009c3904711af998f53fb1b6e3fdd11c3bac96d47e5ee82fbc9e2314b6a0f545f1ad8e2ec20caaa55b9029bc6fd54e3ac7a7d95

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d2ab0b71d26c75edc4de7bc067e08745

SHA1
5d209cb3c7c46b1c75d5dfb8543bb6e0e8fa9237

SHA256
f3a10e7a69e731f5b3600a3cb69dd11de523d0c0b16a701d8919112e7b719e99

SHA512
cf72b2b9f8a3c8a12179d628ed72c0e6316143c17ab5bb354248aa05caf4a0c0ada19ae1921e004e7034f60d11c0639a16b1e8348646fde9de6a776c444a6ced

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b36c840e2ad7d2c76c03a7766b6134d6

SHA1
3ee841e40bf791b86a1dbea27ed3862f66eaf9c1

SHA256
14e69dc7d33e6682fa00225941619888dfa8efc58c4a14fe87aeed5e1e590b49

SHA512
68db7f23cb60159105241ec39956eb29551c94b7f492cb4ca6cb88748c7e9acc34beeeaeb977eafb88b275b32b0bc529f4b0b5c6ade34d58da23aef7326a73e4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e35c6fad14ff4d2ff09b4264ef9461e4

SHA1
776f96d483c690ee1001c62c5bbee9615df8a1b6

SHA256
589891fa69bf0e6e75a04d238978f8bc899d9431d63899d202818a298b5962f5

SHA512
dcb1831cb609e817ee8c724b88511acdf29a3a47e983c38dc294c342b0a6b7fbb56deac4d14d529856f5e82d2e1492e88169e79bc5eec95eedece36b32c272c9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
869365e1a5d0f9606c0e19e69653c355

SHA1
40199e076c603c24dd4e6980f5f461bc33070f34

SHA256
5304a88d9b4e289f5272b09fece10bb6054c16564662316347bb5e287cbea036

SHA512
a0b776c009b6012eb4ae83b24d7f628cd57fe815758118daaa9ddff9fe3292fb6c25fc0271815517b084305a97072b9f93292adb8491d63322da019d91f70d35

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1000-135-0x0000000005DA0000-0x00000000060F7000-memory.dmp

Filesize
3.3MB

Download
memory/1000-139-0x00000000712B0000-0x0000000071607000-memory.dmp

Filesize
3.3MB

Download
memory/1000-138-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/1044-62-0x0000000071240000-0x0000000071597000-memory.dmp

Filesize
3.3MB

Download
memory/1044-60-0x0000000005CB0000-0x0000000006007000-memory.dmp

Filesize
3.3MB

Download
memory/1044-73-0x0000000007730000-0x0000000007745000-memory.dmp

Filesize
84KB

Download
memory/1044-72-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/1044-71-0x0000000007340000-0x00000000073E4000-memory.dmp

Filesize
656KB

Download
memory/1044-61-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/1228-124-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/1932-97-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/1932-2-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/1932-1-0x00000000045C0000-0x00000000049C3000-memory.dmp

Filesize
4.0MB

Download
memory/1932-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1932-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1932-98-0x00000000045C0000-0x00000000049C3000-memory.dmp

Filesize
4.0MB

Download
memory/1932-99-0x00000000049D0000-0x00000000052BB000-memory.dmp

Filesize
8.9MB

Download
memory/2900-221-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-230-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-245-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-242-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-239-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-236-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-233-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-227-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-201-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-224-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-218-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-212-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/2900-215-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3600-210-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3600-205-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3756-172-0x00000000058B0000-0x00000000058C5000-memory.dmp

Filesize
84KB

Download
memory/3756-159-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/3756-171-0x0000000007050000-0x0000000007061000-memory.dmp

Filesize
68KB

Download
memory/3756-161-0x00000000711F0000-0x0000000071547000-memory.dmp

Filesize
3.3MB

Download
memory/3756-170-0x0000000006D40000-0x0000000006DE4000-memory.dmp

Filesize
656KB

Download
memory/3756-157-0x0000000005400000-0x0000000005757000-memory.dmp

Filesize
3.3MB

Download
memory/3756-160-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/3764-39-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3764-22-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/3764-4-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/3764-5-0x0000000002F80000-0x0000000002FB6000-memory.dmp

Filesize
216KB

Download
memory/3764-6-0x0000000005750000-0x0000000005D7A000-memory.dmp

Filesize
6.2MB

Download
memory/3764-7-0x0000000074E30000-0x00000000755E1000-memory.dmp

Filesize
7.7MB

Download
memory/3764-50-0x0000000074E30000-0x00000000755E1000-memory.dmp

Filesize
7.7MB

Download
memory/3764-47-0x0000000007B40000-0x0000000007B48000-memory.dmp

Filesize
32KB

Download
memory/3764-46-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/3764-45-0x0000000007AD0000-0x0000000007AE5000-memory.dmp

Filesize
84KB

Download
memory/3764-44-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

Filesize
56KB

Download
memory/3764-43-0x0000000007A70000-0x0000000007A81000-memory.dmp

Filesize
68KB

Download
memory/3764-42-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/3764-41-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/3764-40-0x0000000074E30000-0x00000000755E1000-memory.dmp

Filesize
7.7MB

Download
memory/3764-38-0x0000000008050000-0x00000000086CA000-memory.dmp

Filesize
6.5MB

Download
memory/3764-8-0x0000000074E30000-0x00000000755E1000-memory.dmp

Filesize
7.7MB

Download
memory/3764-26-0x0000000074E30000-0x00000000755E1000-memory.dmp

Filesize
7.7MB

Download
memory/3764-9-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/3764-11-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3764-27-0x0000000071220000-0x0000000071577000-memory.dmp

Filesize
3.3MB

Download
memory/3764-36-0x00000000078C0000-0x00000000078DE000-memory.dmp

Filesize
120KB

Download
memory/3764-37-0x00000000078E0000-0x0000000007984000-memory.dmp

Filesize
656KB

Download
memory/3764-24-0x0000000007860000-0x0000000007894000-memory.dmp

Filesize
208KB

Download
memory/3764-10-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/3764-25-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/3764-23-0x00000000068B0000-0x00000000068F6000-memory.dmp

Filesize
280KB

Download
memory/3764-20-0x0000000005FD0000-0x0000000006327000-memory.dmp

Filesize
3.3MB

Download
memory/3764-21-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/4020-185-0x00000000711B0000-0x0000000071507000-memory.dmp

Filesize
3.3MB

Download
memory/4020-184-0x0000000070FC0000-0x000000007100C000-memory.dmp

Filesize
304KB

Download
memory/4020-182-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

Filesize
3.3MB

Download
memory/4212-219-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4212-214-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4212-208-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4936-111-0x0000000071240000-0x0000000071597000-memory.dmp

Filesize
3.3MB

Download
memory/4936-110-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/5084-85-0x00000000055F0000-0x0000000005947000-memory.dmp

Filesize
3.3MB

Download
memory/5084-87-0x00000000710A0000-0x00000000710EC000-memory.dmp

Filesize
304KB

Download
memory/5084-88-0x00000000712F0000-0x0000000071647000-memory.dmp

Filesize
3.3MB

Download