glupteba | bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
27-04-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Size

4.1MB
MD5

310e051c4e2781a3cd7bced24585ab6b
SHA1

18bd6983988ecbcb6f9fe0e1f07e83e9e5337ac2
SHA256

bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde
SHA512

1a9a261d66a76b4363772c68a4d7a5cf7638c9eaac8bea3eef0d54407eb58a0e7029b8cf48dbb2b5e957bd7e7018c75a6e933c60f266a9bda82975b6a257c619
SSDEEP

98304:hBrcvoQ3bpeAYFyI5s2iXAaDVcYvvxcUB482tlsgYA74q:hBQ8JjsJRJcupcUK8wlX7x

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

Processes:

resource	yara_rule
behavioral2/memory/840-2-0x0000000005100000-0x00000000059EB000-memory.dmp	family_glupteba
behavioral2/memory/840-3-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/840-50-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/840-52-0x0000000005100000-0x00000000059EB000-memory.dmp	family_glupteba
behavioral2/memory/1320-89-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/1320-124-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-149-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-204-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-206-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-208-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-210-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-212-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-214-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-216-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba
behavioral2/memory/4368-218-0x0000000000400000-0x0000000002EDF000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4636 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

csrss.exeinjector.exe

pid process

4368 csrss.exe
4176 injector.exe

pid	process
4636	netsh.exe

pid	process
4368	csrss.exe
4176	injector.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

Drops file in Windows directory 2 IoCs

Processes:

bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

description	ioc	process
File opened for modification	C:\Windows\rss	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
File created	C:\Windows\rss\csrss.exe	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1088 schtasks.exe
3764 schtasks.exe

pid	process
1088	schtasks.exe
3764	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exepowershell.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
3068	powershell.exe
3068	powershell.exe
840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
708	powershell.exe
708	powershell.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
5012	powershell.exe
5012	powershell.exe
2196	powershell.exe
2196	powershell.exe
912	powershell.exe
912	powershell.exe
4464	powershell.exe
4464	powershell.exe
4856	powershell.exe
4856	powershell.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4368	csrss.exe
4368	csrss.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4368	csrss.exe
4368	csrss.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe
4176	injector.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Token: SeImpersonatePrivilege	840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeSystemEnvironmentPrivilege	4368	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exebcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.execmd.execsrss.exe

description	pid	process	target process
PID 840 wrote to memory of 3068	840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 840 wrote to memory of 3068	840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 840 wrote to memory of 3068	840	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 708	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 708	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 708	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 4352	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	cmd.exe
PID 1320 wrote to memory of 4352	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	cmd.exe
PID 4352 wrote to memory of 4636	4352	cmd.exe	netsh.exe
PID 4352 wrote to memory of 4636	4352	cmd.exe	netsh.exe
PID 1320 wrote to memory of 5012	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 5012	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 5012	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 2196	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 2196	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 2196	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	powershell.exe
PID 1320 wrote to memory of 4368	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	csrss.exe
PID 1320 wrote to memory of 4368	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	csrss.exe
PID 1320 wrote to memory of 4368	1320	bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe	csrss.exe
PID 4368 wrote to memory of 912	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 912	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 912	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4464	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4464	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4464	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4856	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4856	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4856	4368	csrss.exe	powershell.exe
PID 4368 wrote to memory of 4176	4368	csrss.exe	injector.exe
PID 4368 wrote to memory of 4176	4368	csrss.exe	injector.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
"C:\Users\Admin\AppData\Local\Temp\bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Local\Temp\bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe
"C:\Users\Admin\AppData\Local\Temp\bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jd21i31u.4ns.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
006d60b68902df2951c31e8e79f4b2a7

SHA1
0e540605bda25a2cdd35539b3efa86a85922297a

SHA256
1caea2f1f43aba65abe1df0fa0efb3013cee6ffeb40638ee6bf228111c8c3a90

SHA512
13422b9a7ebf36a1e54fe7b822fcb40c74b8ec9ae496fc7b499b53ad0bab398f70fd769f3340219f2e79b3cb60a83d63207ac863c15fd715c80fc5d6532025a3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
3d6826ffad7b848eebc97b498dbe1829

SHA1
4f8cb4d059a4c7bbc61beff01718011cd73e4464

SHA256
0fb0f4fd87e40c599f1d64785f9ee2cacab566edb04a0e608ff82041728748ad

SHA512
bda6043517aa8c758ecd4b2f9c6c0d710d662bfcf5b4b7f2cf1ebe08d0396974a4585471572c6b02eb82c9d78ae9eb3d2f0f90396ffb9a707af93f194f92e48e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
6d4a9a466782c420c43335e24d4a7783

SHA1
7b56d3921212390b703230c6bcad20cb37ff5deb

SHA256
53480676c11a354c363e1a6e4532778a3aca3e49642a893d30ec85aaf75a7e5a

SHA512
859fd291ccb7c844c2cf9d516739aec689e89ece8ff1f94292ae8887716d59946810dca7a09842d77c3679cd5ae61d9e9384605ee325288c46016c8193a9fe67

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b139937fc15e15294b43ed8eb4d15f31

SHA1
b8bf22f44b3859dc29758de7a5e18272b41a9134

SHA256
95d3f39eb70018de022c2b291b77c403c1e99c0975f4db877d3375b0f7f89acc

SHA512
84f75f727042489f2bf4233766f6004e498007715e26a7022bae42b44114b188cac61311053008923248f296265f3cbbe13a57206b4e9d407792d4c89f7b81a6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
53393b9883247c28629f085227224b30

SHA1
99be3fab64fcee364814c2becfb4193a1fee2aac

SHA256
ccb6a8f918d47d2830a02164dd32258afc64182d5cd4804ed41200368399baf2

SHA512
a802896272181efa8aead16315533328b8cd5783c8d09858825838bbe1979c8e9343e254794c2f4b7441ee451b8ee92950bb83be4d3071df6fdcbe4fb66ddfd0

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
310e051c4e2781a3cd7bced24585ab6b

SHA1
18bd6983988ecbcb6f9fe0e1f07e83e9e5337ac2

SHA256
bcf26e5c60b8fdc77e01dda0347e08fbb8d34b109b4a48c9469b8d68de491fde

SHA512
1a9a261d66a76b4363772c68a4d7a5cf7638c9eaac8bea3eef0d54407eb58a0e7029b8cf48dbb2b5e957bd7e7018c75a6e933c60f266a9bda82975b6a257c619

Download Submit
memory/708-73-0x0000000007AB0000-0x0000000007B54000-memory.dmp

Filesize
656KB

Download
memory/708-59-0x0000000006340000-0x0000000006697000-memory.dmp

Filesize
3.3MB

Download
memory/708-63-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download
memory/708-64-0x0000000070610000-0x0000000070967000-memory.dmp

Filesize
3.3MB

Download
memory/708-75-0x0000000007E50000-0x0000000007E65000-memory.dmp

Filesize
84KB

Download
memory/708-74-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/840-52-0x0000000005100000-0x00000000059EB000-memory.dmp

Filesize
8.9MB

Download
memory/840-51-0x0000000003560000-0x000000000395C000-memory.dmp

Filesize
4.0MB

Download
memory/840-50-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/840-3-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/840-2-0x0000000005100000-0x00000000059EB000-memory.dmp

Filesize
8.9MB

Download
memory/840-1-0x0000000003560000-0x000000000395C000-memory.dmp

Filesize
4.0MB

Download
memory/912-139-0x0000000070580000-0x00000000708D7000-memory.dmp

Filesize
3.3MB

Download
memory/912-138-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download
memory/1320-89-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/1320-124-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/2196-111-0x0000000070580000-0x00000000708D7000-memory.dmp

Filesize
3.3MB

Download
memory/2196-110-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download
memory/3068-26-0x0000000070580000-0x00000000708D7000-memory.dmp

Filesize
3.3MB

Download
memory/3068-9-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/3068-45-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

Filesize
32KB

Download
memory/3068-48-0x0000000074190000-0x0000000074941000-memory.dmp

Filesize
7.7MB

Download
memory/3068-43-0x0000000007AC0000-0x0000000007AD5000-memory.dmp

Filesize
84KB

Download
memory/3068-42-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/3068-41-0x0000000007A70000-0x0000000007A81000-memory.dmp

Filesize
68KB

Download
memory/3068-40-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/3068-39-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/3068-38-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/3068-37-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/3068-36-0x00000000078E0000-0x0000000007984000-memory.dmp

Filesize
656KB

Download
memory/3068-35-0x00000000078C0000-0x00000000078DE000-memory.dmp

Filesize
120KB

Download
memory/3068-25-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download
memory/3068-24-0x0000000007860000-0x0000000007894000-memory.dmp

Filesize
208KB

Download
memory/3068-23-0x0000000006A10000-0x0000000006A56000-memory.dmp

Filesize
280KB

Download
memory/3068-4-0x0000000004FD0000-0x0000000005006000-memory.dmp

Filesize
216KB

Download
memory/3068-5-0x0000000074190000-0x0000000074941000-memory.dmp

Filesize
7.7MB

Download
memory/3068-22-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/3068-21-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3068-20-0x0000000005F80000-0x00000000062D7000-memory.dmp

Filesize
3.3MB

Download
memory/3068-11-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3068-10-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3068-44-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/3068-8-0x00000000057C0000-0x0000000005DEA000-memory.dmp

Filesize
6.2MB

Download
memory/3068-6-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3068-7-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4368-204-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-149-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-218-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-216-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-214-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-212-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-210-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-208-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4368-206-0x0000000000400000-0x0000000002EDF000-memory.dmp

Filesize
42.9MB

Download
memory/4464-174-0x0000000007270000-0x0000000007314000-memory.dmp

Filesize
656KB

Download
memory/4464-176-0x0000000005990000-0x00000000059A5000-memory.dmp

Filesize
84KB

Download
memory/4464-175-0x00000000075E0000-0x00000000075F1000-memory.dmp

Filesize
68KB

Download
memory/4464-160-0x0000000005B60000-0x0000000005EB7000-memory.dmp

Filesize
3.3MB

Download
memory/4464-164-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/4464-165-0x00000000704A0000-0x00000000707F7000-memory.dmp

Filesize
3.3MB

Download
memory/4464-162-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/4856-188-0x0000000070320000-0x000000007036C000-memory.dmp

Filesize
304KB

Download
memory/4856-189-0x0000000070570000-0x00000000708C7000-memory.dmp

Filesize
3.3MB

Download
memory/4856-178-0x00000000057D0000-0x0000000005B27000-memory.dmp

Filesize
3.3MB

Download
memory/5012-91-0x0000000070580000-0x00000000708D7000-memory.dmp

Filesize
3.3MB

Download
memory/5012-90-0x0000000070400000-0x000000007044C000-memory.dmp

Filesize
304KB

Download