glupteba | 486ca0c7b2c67e899d74392deb9bd609d41b185b0364b7c161f8d2d042a31786

Analysis

max time kernel
139s
max time network
166s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

759.0MB
MD5

a3a3e8990cefc370fc3c3db21603f21e
SHA1

43363d10f946a9dba9b4f004bc961bd3991029e5
SHA256

239c9656f60b14ee7ab89da649d1411c8d1fa2d5fa1d687e61e5680674ff279b
SHA512

d543fb6072c3e25e6a67a6a7a904cb9f9ce1c48774fadc09f8e1c147c1467a5ef73f6b1b81850bb0a28a3653834c31c8acb1be88543f467a1e6f32dffd9c3e9e
SSDEEP

98304:u5mpCa1OHSR+XHb3Poj+eKiW6ytGwWXW:GWCamxbw6/iCww

Score

10^/10

glupteba stealc dropper evasion loader spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.23

Attributes

url_path
/f993692117a3fda2.php

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1804-697-0x0000000003B80000-0x000000000446B000-memory.dmp	family_glupteba
behavioral1/memory/1804-714-0x0000000000400000-0x0000000001DF9000-memory.dmp	family_glupteba
behavioral1/memory/1804-783-0x0000000000400000-0x0000000001DF9000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1384 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

pid	process
1384	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 5 IoCs

Processes:

oZ5NhooIfJsFIlqkLX9Qc0yY.exeRpRd7zNaLERyFBlQILEC_fk5.exeX8RNPL2BYZopR7vrXBqLS83R.exes6fRVnYTHoR8W_2dovpzDSES.exeis-QSE33.tmp

pid	process
1804	oZ5NhooIfJsFIlqkLX9Qc0yY.exe
2412	RpRd7zNaLERyFBlQILEC_fk5.exe
2476	X8RNPL2BYZopR7vrXBqLS83R.exe
2420	s6fRVnYTHoR8W_2dovpzDSES.exe
656	is-QSE33.tmp

Loads dropped DLL 4 IoCs

Processes:

RpRd7zNaLERyFBlQILEC_fk5.exe

pid process

2412 RpRd7zNaLERyFBlQILEC_fk5.exe
2412 RpRd7zNaLERyFBlQILEC_fk5.exe
2412 RpRd7zNaLERyFBlQILEC_fk5.exe
2412 RpRd7zNaLERyFBlQILEC_fk5.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2412	RpRd7zNaLERyFBlQILEC_fk5.exe
2412	RpRd7zNaLERyFBlQILEC_fk5.exe
2412	RpRd7zNaLERyFBlQILEC_fk5.exe
2412	RpRd7zNaLERyFBlQILEC_fk5.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2216-0-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-7-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-8-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-9-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-10-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-11-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-12-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-14-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-13-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-88-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-180-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-260-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-533-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-622-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-655-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida
behavioral1/memory/2216-782-0x000000013FCA0000-0x00000001403A4000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

15 bitbucket.org
27 bitbucket.org
58 bitbucket.org
64 bitbucket.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.myip.com
5 api.myip.com
10 ipinfo.io
11 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

flow	ioc
15	bitbucket.org
27	bitbucket.org
58	bitbucket.org
64	bitbucket.org

flow	ioc
4	api.myip.com
5	api.myip.com
10	ipinfo.io
11	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

setup.exe

pid process

2216 setup.exe

pid	process
2216	setup.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	setup.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

setup.exeRpRd7zNaLERyFBlQILEC_fk5.exe

description	pid	process	target process
PID 2216 wrote to memory of 1804	2216	setup.exe	oZ5NhooIfJsFIlqkLX9Qc0yY.exe
PID 2216 wrote to memory of 1804	2216	setup.exe	oZ5NhooIfJsFIlqkLX9Qc0yY.exe
PID 2216 wrote to memory of 1804	2216	setup.exe	oZ5NhooIfJsFIlqkLX9Qc0yY.exe
PID 2216 wrote to memory of 1804	2216	setup.exe	oZ5NhooIfJsFIlqkLX9Qc0yY.exe
PID 2216 wrote to memory of 2420	2216	setup.exe	s6fRVnYTHoR8W_2dovpzDSES.exe
PID 2216 wrote to memory of 2420	2216	setup.exe	s6fRVnYTHoR8W_2dovpzDSES.exe
PID 2216 wrote to memory of 2420	2216	setup.exe	s6fRVnYTHoR8W_2dovpzDSES.exe
PID 2216 wrote to memory of 2420	2216	setup.exe	s6fRVnYTHoR8W_2dovpzDSES.exe
PID 2216 wrote to memory of 2476	2216	setup.exe	X8RNPL2BYZopR7vrXBqLS83R.exe
PID 2216 wrote to memory of 2476	2216	setup.exe	X8RNPL2BYZopR7vrXBqLS83R.exe
PID 2216 wrote to memory of 2476	2216	setup.exe	X8RNPL2BYZopR7vrXBqLS83R.exe
PID 2216 wrote to memory of 2476	2216	setup.exe	X8RNPL2BYZopR7vrXBqLS83R.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2216 wrote to memory of 2412	2216	setup.exe	RpRd7zNaLERyFBlQILEC_fk5.exe
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp
PID 2412 wrote to memory of 656	2412	RpRd7zNaLERyFBlQILEC_fk5.exe	is-QSE33.tmp

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\Documents\SimpleAdobe\oZ5NhooIfJsFIlqkLX9Qc0yY.exe
C:\Users\Admin\Documents\SimpleAdobe\oZ5NhooIfJsFIlqkLX9Qc0yY.exe
2⤵
- Executes dropped EXE
PID:1804

C:\Users\Admin\Documents\SimpleAdobe\oZ5NhooIfJsFIlqkLX9Qc0yY.exe
"C:\Users\Admin\Documents\SimpleAdobe\oZ5NhooIfJsFIlqkLX9Qc0yY.exe"
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2152

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1384

C:\Users\Admin\Documents\SimpleAdobe\RpRd7zNaLERyFBlQILEC_fk5.exe
C:\Users\Admin\Documents\SimpleAdobe\RpRd7zNaLERyFBlQILEC_fk5.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\is-VSHBE.tmp\is-QSE33.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VSHBE.tmp\is-QSE33.tmp" /SL4 $40164 "C:\Users\Admin\Documents\SimpleAdobe\RpRd7zNaLERyFBlQILEC_fk5.exe" 4499144 52224
3⤵
- Executes dropped EXE
PID:656

C:\Users\Admin\AppData\Local\Color Media Player\recorder32.exe
"C:\Users\Admin\AppData\Local\Color Media Player\recorder32.exe" -i
4⤵
PID:1092

C:\Users\Admin\AppData\Local\Color Media Player\recorder32.exe
"C:\Users\Admin\AppData\Local\Color Media Player\recorder32.exe" -s
4⤵
PID:1628

C:\Users\Admin\Documents\SimpleAdobe\s6fRVnYTHoR8W_2dovpzDSES.exe
C:\Users\Admin\Documents\SimpleAdobe\s6fRVnYTHoR8W_2dovpzDSES.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\Documents\SimpleAdobe\X8RNPL2BYZopR7vrXBqLS83R.exe
C:\Users\Admin\Documents\SimpleAdobe\X8RNPL2BYZopR7vrXBqLS83R.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -s EGNB_.TZH
3⤵
PID:1512

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240420145433.log C:\Windows\Logs\CBS\CbsPersist_20240420145433.cab
1⤵
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
679aa39128d2d0b27c8572d198837345

SHA1
fd754355ca41bde435fe0734cb63a85a3e2f7958

SHA256
def68a4612c5234f47f74623fce640f4f11eb8443e1fcb3793e84a627c70e696

SHA512
0c543c05b6b71d1b5671638034d0634c68a24affc253a7857890e1df93aedb94de3c1e5190be18c4ffca4ebb0a7bd9b4856c1104afc193f65e99b41e407ea667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d0f6b1946d2a6e45d19915d21c02ad35

SHA1
f6a04dd43cdf0aee57116d03e8bbad02bc63962f

SHA256
44999c05a3a035d614a9f9af526cd08ae0fd68c9c017d810b316b015c821abe3

SHA512
1134d5eb7ee66fef9d5c40084bd092b2c2284d5053fd8d37528ea0bfd6ef8921b902a3cb6ea66b4351832e3183143324ea02dd64136ba1d28e4eb0b55d383d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE2C.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFD8.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RpRd7zNaLERyFBlQILEC_fk5.exe
Filesize
4.5MB

MD5
2bd96cc141b9fdc7f2e52425d0a1d24b

SHA1
347b15315109be8d5548fb058c9d59c7fc1e4a09

SHA256
33a917029b7e9e9899871fe3d39cf340c4e8c6024536c9a09d441b3d9a594d8e

SHA512
7e67157f478131755faa8a4d09656d25061f3810c7de5e51ac99ecdf6577c44bb42ee4d232f4742c0cfa28dbd43f38f12993c0cd774351a8d4dffa31a7d8a80d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\X8RNPL2BYZopR7vrXBqLS83R.exe
Filesize
3.3MB

MD5
00cb79e6d5dda3e7784a43e8b899425c

SHA1
7b8b7581b8a88273c5a3be699c0fd56ffe9736c1

SHA256
8a25d2dd831dc3f6f2d38bbbce32ca17f13a43ea20376201f96a2440619fb28a

SHA512
1ade51f8e91a270538b2397ebb53d14f31d5c9e47acf1efb517e2bbf372d4552f3b05295e9f9b6b42dc2b67a0ac0af51085a8c92193a7201141a8a0d2c0ef73a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oZ5NhooIfJsFIlqkLX9Qc0yY.exe
Filesize
4.2MB

MD5
97f8f429d24efcb849e68d1851016c00

SHA1
dfdac8d8663644d1662dd89743b9c3cb0913efc6

SHA256
a022f144f067e82e3300ce38a93dcb92ae3c83f6c7fb48b7c4814c02a68243bc

SHA512
31ad7b613cd88914f157581ef7e38aaa0be150216aaed62935afdeed6dc9ae04d05878994e12e5d61b8be1341a4126c2eadeee597e47a2d00450d9f29302536c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\s6fRVnYTHoR8W_2dovpzDSES.exe
Filesize
301KB

MD5
e023cd02884ee39b41844face446dc00

SHA1
24eb2a6d6c0bfddb355c0c48c691d072291f78c1

SHA256
92a051d53404834c79b8ef450a580e34079bdd4f5faeb62164f564785ac09c3e

SHA512
c40d93020e08c50034b6413ecb952417445d7618d6eafec6158770023a43eaeb5a128b2e8b8ab19ddec4b5a84431fec69c7f565d1210b81366fafefc33a797e9

Download Submit
\Users\Admin\AppData\Local\Color Media Player\recorder32.exe
Filesize
2.0MB

MD5
3ab5756923ba6a93749cb2b96afc273a

SHA1
c855f2f26a7972cfaa54dfc5338f65f2fdf67b9e

SHA256
b93a67f1fce36c6609862725fb2c441766111acd29ecb88d4238742a6b2baf01

SHA512
5d3f75ad499931c4404dacbe54e88d7a5e5cee238d592b4f30e48c5fce66b989e11f54312b0bb86f70af17a4b68f26d5b6b164a9ded150408845cc15b6c9889e

Download Submit
\Users\Admin\AppData\Local\Temp\EGnB_.TZH
Filesize
2.8MB

MD5
e114eb71fd0386bda8673ade88f700a7

SHA1
27e9c5f601b5e66c06c428d5e903a9c98cf8d275

SHA256
178672b0dc1e067f56c5b374494a0523a517c352bee666678655406f45f53fab

SHA512
8225890f868b8467e603f85b3e7085d329eb49a049eaac92396dbc91476eddfd263eb97acb6a6faeb01ffba92e5fea47211c823e0637715f2ed42941605bd684

Download Submit
\Users\Admin\AppData\Local\Temp\is-CGMEO.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-CGMEO.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-CGMEO.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VSHBE.tmp\is-QSE33.tmp
Filesize
648KB

MD5
d016a87d9ff4378eb33ac7d7e9a7f47e

SHA1
8070d91956be723549bef27c72aa29ceb046f2ad

SHA256
1c1451744edfaf4dc358b7c36d2dfb34df85db50cfc9d659db1434a847bee5a0

SHA512
db57333a1641235b3749785ed33bce28aec09d3c8d72713043cacb3539589f639c3734c7728c4564073a085898f116951fe94fd37f43b000122330f527ec93d8

Download Submit
memory/656-769-0x0000000003260000-0x0000000003466000-memory.dmp

Filesize
2.0MB

Download
memory/656-785-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/656-789-0x0000000003260000-0x0000000003466000-memory.dmp

Filesize
2.0MB

Download
memory/1092-768-0x0000000000C80000-0x0000000000E86000-memory.dmp

Filesize
2.0MB

Download
memory/1092-767-0x0000000000C80000-0x0000000000E86000-memory.dmp

Filesize
2.0MB

Download
memory/1092-770-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1092-786-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1092-787-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1092-780-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1512-775-0x0000000002300000-0x00000000023EF000-memory.dmp

Filesize
956KB

Download
memory/1512-762-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1512-771-0x0000000000A80000-0x0000000000B89000-memory.dmp

Filesize
1.0MB

Download
memory/1512-772-0x0000000002300000-0x00000000023EF000-memory.dmp

Filesize
956KB

Download
memory/1512-745-0x0000000010000000-0x00000000102D5000-memory.dmp

Filesize
2.8MB

Download
memory/1512-773-0x0000000002300000-0x00000000023EF000-memory.dmp

Filesize
956KB

Download
memory/1512-777-0x0000000002300000-0x00000000023EF000-memory.dmp

Filesize
956KB

Download
memory/1628-795-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1628-793-0x0000000000E20000-0x0000000001026000-memory.dmp

Filesize
2.0MB

Download
memory/1628-794-0x0000000000E20000-0x0000000001026000-memory.dmp

Filesize
2.0MB

Download
memory/1804-783-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/1804-667-0x0000000003780000-0x0000000003B78000-memory.dmp

Filesize
4.0MB

Download
memory/1804-694-0x0000000003780000-0x0000000003B78000-memory.dmp

Filesize
4.0MB

Download
memory/1804-714-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/1804-798-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/1804-801-0x0000000003B80000-0x000000000446B000-memory.dmp

Filesize
8.9MB

Download
memory/1804-697-0x0000000003B80000-0x000000000446B000-memory.dmp

Filesize
8.9MB

Download
memory/1992-797-0x0000000003640000-0x0000000003A38000-memory.dmp

Filesize
4.0MB

Download
memory/1992-803-0x0000000000400000-0x0000000001DF9000-memory.dmp

Filesize
26.0MB

Download
memory/1992-802-0x0000000003640000-0x0000000003A38000-memory.dmp

Filesize
4.0MB

Download
memory/2216-6-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/2216-7-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-2-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp

Filesize
432KB

Download
memory/2216-1-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp

Filesize
432KB

Download
memory/2216-3-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp

Filesize
432KB

Download
memory/2216-4-0x0000000077450000-0x00000000775F9000-memory.dmp

Filesize
1.7MB

Download
memory/2216-5-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2216-14-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-0-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-12-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-11-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-655-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-622-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-13-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-88-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-10-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-533-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-782-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-281-0x0000000077450000-0x00000000775F9000-memory.dmp

Filesize
1.7MB

Download
memory/2216-180-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-271-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp

Filesize
432KB

Download
memory/2216-260-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-181-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp

Filesize
432KB

Download
memory/2216-8-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2216-9-0x000000013FCA0000-0x00000001403A4000-memory.dmp

Filesize
7.0MB

Download
memory/2412-784-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2412-685-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2420-713-0x0000000000400000-0x0000000001A16000-memory.dmp

Filesize
22.1MB

Download
memory/2420-778-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2420-776-0x0000000000400000-0x0000000001A16000-memory.dmp

Filesize
22.1MB

Download
memory/2420-690-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/2420-688-0x0000000001AB0000-0x0000000001BB0000-memory.dmp

Filesize
1024KB

Download