glupteba | 90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b

Analysis

max time kernel
21s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Size

4.1MB
MD5

84a5024796f9f44d7818e51c4f38b0f1
SHA1

e028806848ae73eea4cba7c09d969a19e8297277
SHA256

90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b
SHA512

6afcbfe8390b3c6133195936877779902e63440fa306e337fdbdcfaef17a3bd4f2cffe06a04106e2ff54dbf5c02dfdcdac9567f14bb3003c7b69d173217adc6c
SSDEEP

98304:GGVqP0yhBzLxz/pe3iv/3aGzN2wL3r2lBgJdSO:2Bzdbph/ZziwJdSO

Score

10^/10

glupteba dropper evasion loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/4764-2-0x0000000002EB0000-0x000000000379B000-memory.dmp	family_glupteba
behavioral1/memory/4764-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4764-57-0x0000000002EB0000-0x000000000379B000-memory.dmp	family_glupteba
behavioral1/memory/2188-58-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4764-59-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2188-125-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2188-155-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-252-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-255-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-266-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-269-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-273-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-277-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-282-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-286-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-290-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-294-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-297-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2712-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1700	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	csrss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000230fe-259.dat	upx
behavioral1/files/0x00140000000230fe-260.dat	upx
behavioral1/files/0x00140000000230fe-262.dat	upx
behavioral1/memory/2236-263-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2996-267-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2996-275-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
File created	C:\Windows\rss\csrss.exe	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1408	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1728	schtasks.exe
440	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5044	powershell.exe
5044	powershell.exe
4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
4196	powershell.exe
4196	powershell.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
4776	powershell.exe
4776	powershell.exe
3444	powershell.exe
3444	powershell.exe
3444	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Token: SeImpersonatePrivilege	4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 5044	4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	91
PID 4764 wrote to memory of 5044	4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	91
PID 4764 wrote to memory of 5044	4764	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	91
PID 2188 wrote to memory of 4196	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	98
PID 2188 wrote to memory of 4196	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	98
PID 2188 wrote to memory of 4196	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	98
PID 2188 wrote to memory of 2292	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	101
PID 2188 wrote to memory of 2292	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	101
PID 2292 wrote to memory of 1700	2292	cmd.exe	115
PID 2292 wrote to memory of 1700	2292	cmd.exe	115
PID 2188 wrote to memory of 4776	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	104
PID 2188 wrote to memory of 4776	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	104
PID 2188 wrote to memory of 4776	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	104
PID 2188 wrote to memory of 3444	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	106
PID 2188 wrote to memory of 3444	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	106
PID 2188 wrote to memory of 3444	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	106
PID 2188 wrote to memory of 2712	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	107
PID 2188 wrote to memory of 2712	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	107
PID 2188 wrote to memory of 2712	2188	90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe	107
PID 2712 wrote to memory of 3244	2712	csrss.exe	109
PID 2712 wrote to memory of 3244	2712	csrss.exe	109
PID 2712 wrote to memory of 3244	2712	csrss.exe	109

C:\Users\Admin\AppData\Local\Temp\90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
"C:\Users\Admin\AppData\Local\Temp\90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe
  "C:\Users\Admin\AppData\Local\Temp\90df1e1d4b3914d01abcc75b0fa967fa1df23f44aaf86c8207e213386541817b.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3444
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3244
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4404
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:1936
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:440
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4252
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:1408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1700

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzicbd3w.1og.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
239KB

MD5
edb1bcdc9dae2369fc571f0d3d835e1c

SHA1
ba96c28a9b198a705597448ceaa8d09cf5599ceb

SHA256
fb44417ac2c90471c7bdd7f5223992980d8f109ecbfbfe5deac17a0bfadc1c6d

SHA512
980c202810113d2331621f5f2d87f26eb1b2b3ba98f1ec61596924c863fa2308196f3de052a2ad4f5939d2f53286caece7194154342e0bd5b09c012527230ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
84ee391592ff92b138817454b9de9491

SHA1
0c2e4dedd943e3b4c399751d65cbe7545dea3c3c

SHA256
6c4f3f4c3755a0e65d85c4ffb0fb005d320456b3f7058f0de0d4a08429cd2a6c

SHA512
beadaf80598e57ccc757d1e41565ae4c7e56de1db714f20af0fd91c7c9be1145cac43719c8f44fd60b107e540945aa2c4b62a023aee960b2e74ea96f91e50833

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e0b2a91502c2beaf4ce7e4bf296e9269

SHA1
3f0b80d568784c08d15563890a76ceba03580313

SHA256
f49a28b44844e04ca240861ad9487e0f4d5b9897720340fdf9384ab58f4b5ece

SHA512
befb0d707c8cbc10775d239a132878f977fa428e987fad21383da58fa07927ead103ccfcb503a20cb26b82d1e7cbd39956fdfe76d5e3589bd3c8f4d29742bea6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
1a8502e2a11e12d15d8c66dd666fa2e3

SHA1
850166d1ac10c211cd0a8d41f3222fb2dfc09d24

SHA256
77d2715c929fa29c27743a4af4238010d51a4e62b4cb252ca8e3624f377dd495

SHA512
5de12214075b6d7e434e6fc27acf76bb04b75b58a6cc892e1b5abca69c7a473e2d5be852c3806841434c196bad40a7d417892830926ccd9a5e4fe0c2bfa7b591

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
333cb4e3fe9576f68d828b957b37c683

SHA1
20a5360b5834dabc10237c886a92d01c1b2e57b1

SHA256
157b8f15078a210bed343b1faf980c3d0ffd5873721426ee25c866476f8f3f23

SHA512
e437b389ec4ded0e50b30000ed6f85383ac0ce1674d25a768cb2d8365a73f7f3d5d7a7f271d838f74288aabed81f0abbf9e81b7044835f646e0ecdd0ecc79e9a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
20ec603a87dd2890ac5c68b9bee3a04e

SHA1
48b60cb2ff1ffadc172732a816673b8b6b0f5080

SHA256
bc3e1f9be29e351c9f002434b159ccbd73b3d6533f9e48af53f6a53afba35334

SHA512
9693498ac1241a7c0a58ed232a466a741b366d8f6df20a1c016bbf71c86f453f58da143a6906445fa754432c35a79c2c98b1d9c806291bf65dbce4d5dd317833

Download Submit
C:\Windows\rss\csrss.exe

Filesize
3KB

MD5
54cb99392b747d79d090ad482c3930a5

SHA1
cf73bc140615b3d35b715cc7744fb979221c2783

SHA256
9dc2bfff1ed97a8bbb7923b263f50b8a48698fe41d0674c4e731dd1e4536353b

SHA512
d1010bd0049be497da5c5d523389d699d47cd9936d3c57c2fb1676954b6cca66ceba1f66f49539374fe2560d8fc4776db6fbb49f6c63635cc932896099c298b1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
27KB

MD5
7e9d2cc0c60eeea86497bcc6a0295693

SHA1
9b16049f1862828173754dbf123972c4d505fb97

SHA256
514275feda60c99198200f1fd5085098ad620cf31201e6f5f5c9bd9edc8daac1

SHA512
88e24d79794f21bd2da0f2e97e1611626e5046e8b6c85e91dc2e5883b861846685d1d6b586bdefd69ccdbb695a587e219eb4b6e363f23ce77c58dd6c95313712

Download Submit
C:\Windows\windefender.exe

Filesize
101KB

MD5
6958f3ab1eef15ab611356363c284e0a

SHA1
715dd74d207abbcef925e31dc65bc524c7fef6e6

SHA256
e226aed6360f69256ca01559e063ec694c9d640827e9706bbaa456ecd1f84744

SHA512
890a0c5848b7eb185fa9c9ab7d89ee00a218cc27fcd75b4fd6b2a8dc7246a6527456f8d36b6ae0ef5e8e328e517e0d2ef2890f5c18eef6db6a684488524c0d9d

Download Submit
C:\Windows\windefender.exe

Filesize
92KB

MD5
d41f9b1a70ed2f840e93229e5357717b

SHA1
b585282223c79395efe2b7edd964cb84bb7d5b0c

SHA256
eb6293b0d9a79480e029b9afd9b0dae8547d3ccca4371fb813bada5cddd53e69

SHA512
2a1315757a0e608f84aface8b1fa70dfd031b588f220980d085cd4c05d81de94092a0161532545a020f02acdff3502530d6621be8cec1d727bb8200e6e8bfbc9

Download Submit
C:\Windows\windefender.exe

Filesize
76KB

MD5
98188338101ee625b50d4f267d7689d9

SHA1
0157b5687709cd316865b79c82cf7a16cbc09ae3

SHA256
1cf3e0768d04937d9e1a10927fc28b57248372b6d0cb634a8beb1890ccc67c7f

SHA512
4d45e22df34e4d267a0c8ec573ef9ddbe2263c48bcdc305d99264dd05b71a0c713cb3cb455f47794eba9a52975e403be376cffc8cb061f4297b7ed34fc06134e

Download Submit
memory/2188-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2188-155-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2188-55-0x0000000002BE0000-0x0000000002FDF000-memory.dmp

Filesize
4.0MB

Download
memory/2188-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2188-106-0x0000000002BE0000-0x0000000002FDF000-memory.dmp

Filesize
4.0MB

Download
memory/2236-263-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2712-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-290-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-255-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-277-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-297-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2712-286-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2996-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2996-267-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3444-129-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/3444-122-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/3444-135-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/3444-137-0x0000000071300000-0x0000000071654000-memory.dmp

Filesize
3.3MB

Download
memory/3444-121-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3444-136-0x0000000070B80000-0x0000000070BCC000-memory.dmp

Filesize
304KB

Download
memory/4196-86-0x0000000007670000-0x0000000007681000-memory.dmp

Filesize
68KB

Download
memory/4196-90-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4196-75-0x0000000071280000-0x00000000715D4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-74-0x0000000070B80000-0x0000000070BCC000-memory.dmp

Filesize
304KB

Download
memory/4196-85-0x00000000073E0000-0x0000000007483000-memory.dmp

Filesize
652KB

Download
memory/4196-60-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4196-87-0x00000000076C0000-0x00000000076D4000-memory.dmp

Filesize
80KB

Download
memory/4196-61-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4196-72-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/4196-73-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4764-2-0x0000000002EB0000-0x000000000379B000-memory.dmp

Filesize
8.9MB

Download
memory/4764-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4764-56-0x0000000002AA0000-0x0000000002EA8000-memory.dmp

Filesize
4.0MB

Download
memory/4764-59-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4764-57-0x0000000002EB0000-0x000000000379B000-memory.dmp

Filesize
8.9MB

Download
memory/4764-1-0x0000000002AA0000-0x0000000002EA8000-memory.dmp

Filesize
4.0MB

Download
memory/4776-100-0x0000000005DB0000-0x0000000006104000-memory.dmp

Filesize
3.3MB

Download
memory/4776-109-0x0000000071300000-0x0000000071654000-memory.dmp

Filesize
3.3MB

Download
memory/4776-120-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4776-108-0x0000000070B80000-0x0000000070BCC000-memory.dmp

Filesize
304KB

Download
memory/4776-107-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4776-92-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4776-93-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4776-94-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/5044-46-0x0000000008080000-0x0000000008091000-memory.dmp

Filesize
68KB

Download
memory/5044-25-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5044-47-0x00000000080C0000-0x00000000080CE000-memory.dmp

Filesize
56KB

Download
memory/5044-49-0x00000000081C0000-0x00000000081DA000-memory.dmp

Filesize
104KB

Download
memory/5044-45-0x0000000008120000-0x00000000081B6000-memory.dmp

Filesize
600KB

Download
memory/5044-44-0x0000000008060000-0x000000000806A000-memory.dmp

Filesize
40KB

Download
memory/5044-43-0x0000000007F70000-0x0000000008013000-memory.dmp

Filesize
652KB

Download
memory/5044-42-0x0000000007F10000-0x0000000007F2E000-memory.dmp

Filesize
120KB

Download
memory/5044-32-0x0000000071150000-0x00000000714A4000-memory.dmp

Filesize
3.3MB

Download
memory/5044-30-0x0000000007F30000-0x0000000007F62000-memory.dmp

Filesize
200KB

Download
memory/5044-31-0x0000000070B80000-0x0000000070BCC000-memory.dmp

Filesize
304KB

Download
memory/5044-29-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

Filesize
64KB

Download
memory/5044-27-0x00000000083F0000-0x0000000008A6A000-memory.dmp

Filesize
6.5MB

Download
memory/5044-28-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/5044-26-0x0000000007CF0000-0x0000000007D66000-memory.dmp

Filesize
472KB

Download
memory/5044-48-0x00000000080D0000-0x00000000080E4000-memory.dmp

Filesize
80KB

Download
memory/5044-24-0x0000000006F30000-0x0000000006F74000-memory.dmp

Filesize
272KB

Download
memory/5044-23-0x00000000069E0000-0x0000000006A2C000-memory.dmp

Filesize
304KB

Download
memory/5044-22-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/5044-21-0x0000000006360000-0x00000000066B4000-memory.dmp

Filesize
3.3MB

Download
memory/5044-11-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/5044-10-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/5044-9-0x00000000059B0000-0x00000000059D2000-memory.dmp

Filesize
136KB

Download
memory/5044-8-0x0000000005B10000-0x0000000006138000-memory.dmp

Filesize
6.2MB

Download
memory/5044-6-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5044-7-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/5044-5-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/5044-4-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/5044-50-0x0000000008110000-0x0000000008118000-memory.dmp

Filesize
32KB

Download
memory/5044-53-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download