glupteba | bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77

Analysis

max time kernel
20s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Size

4.1MB
MD5

f532cf823d92cee9f8c3d40226aef823
SHA1

d6a67de40f81b9f8e2028f99396d6e252b9ef761
SHA256

bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77
SHA512

4af511e053e2ac0fca5f3fc852e4f9d6cfddfae22b7e2c62fb7b61312c21041cd15f067bf952dbfbc1d559e2f1fe05345f603292d104136d493ddda31a5904c7
SSDEEP

98304:/Qx32Mq02zAeaet/0/YHlEVnWsL/fnVsJseCa8CK6QwXNx08Fy:Ix32Mq02zAeLCVnWszfVfeCa8CLXv/4

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral2/memory/1792-2-0x0000000004C10000-0x00000000054FB000-memory.dmp	family_glupteba
behavioral2/memory/1792-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1792-28-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1792-57-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1792-58-0x0000000004C10000-0x00000000054FB000-memory.dmp	family_glupteba
behavioral2/memory/1792-55-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/3216-138-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-217-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-232-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-233-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-235-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-237-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-243-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-247-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-250-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/576-251-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3376	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-227-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x0008000000023404-228.dat	upx
behavioral2/memory/4836-231-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4480-230-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4480-234-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4480-238-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4104	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2776	powershell.exe
1384	powershell.exe
2424	powershell.exe
976	powershell.exe
4232	powershell.exe
916	powershell.exe
1708	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2256	3216	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2184	schtasks.exe
3936	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
976	powershell.exe
976	powershell.exe
1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
4232	powershell.exe
4232	powershell.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
916	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Token: SeImpersonatePrivilege	1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 976	1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	94
PID 1792 wrote to memory of 976	1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	94
PID 1792 wrote to memory of 976	1792	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	94
PID 3216 wrote to memory of 4232	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	117
PID 3216 wrote to memory of 4232	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	117
PID 3216 wrote to memory of 4232	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	117
PID 3216 wrote to memory of 2384	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	121
PID 3216 wrote to memory of 2384	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	121
PID 2384 wrote to memory of 3376	2384	cmd.exe	104
PID 2384 wrote to memory of 3376	2384	cmd.exe	104
PID 3216 wrote to memory of 916	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	105
PID 3216 wrote to memory of 916	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	105
PID 3216 wrote to memory of 916	3216	bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe	105

C:\Users\Admin\AppData\Local\Temp\bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
"C:\Users\Admin\AppData\Local\Temp\bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Users\Admin\AppData\Local\Temp\bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe
  "C:\Users\Admin\AppData\Local\Temp\bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77.exe"
  2⤵
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:3376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1708
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2776
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2184
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4232
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:840
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3936
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2672
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 928
    3⤵
    - Program crash
    PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3216 -ip 3216
1⤵
PID:4948

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bksulrhm.5ta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
aa92c3b6546d770dc345a513f666f00d

SHA1
7b65da65169ada2fe341bbf5688892d36d667dae

SHA256
1dbd68055db1fd2dfb922d2ff72c2db24c12da5e6016e097b25c8be3a15c506a

SHA512
853bb484d7938a14162216324aeda1402af57756e61bf7e633d2dba3b500d1fbeaed0cefbebdf2b334365a1fb3c3e6ee17a1805d860ca5194730f05a06160d42

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f13fed355f19a3fa888bd89096cc9973

SHA1
9ec266d00a65bfabe7bb0ec70f8da89bcd45870b

SHA256
9178a328f4d6c27853ee13fdf39133d11690463ee8a7d68cce0679bdff6d63f5

SHA512
daf2f915451f6409c9d65db35a0d4784e97607a4e4b50a372acdf8904e3a6f5348e61ec1bbae83c9fc5467bff9cafbeddbd4192b114e3054393cdef42f08c611

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8ec9520192aaebf35ca49f79745bb5b6

SHA1
d7c067299040b994f7f908dc028eef75c411e22b

SHA256
41a7f8bd4093746f7ad689f46b90e53e9233403af5d4abb743116ef13bc5035c

SHA512
36bd0d786f8641fd872e41d6fdebe2b8c5a17c6d4ec83ec6c9e5953a18fcd4e49e54a929b5ea8234843bad745adce0b2349e1af5e98de88d0d74f86e9d089903

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3b1e7870820089f59638c3b208507838

SHA1
8d6c14a0161e0ea7bae12fb788fdecb05b9ee8be

SHA256
281bc20e2cfe282d396d5407bed75d2c90cf554cf0425d2d68fe8b35259f9b5c

SHA512
60a9b60c2131652b48fcaa864999c475c92045d463f4b4d7de15b88f41be4f62197fab72653497674c113093cbd017194f89bed4ce9b20bf517702c2842f82a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2d9f1805a5cb9f9fe9e6e13f29fc2607

SHA1
a98858e7ff52719dbfe71148d00d65d932cf0c35

SHA256
df8745e92c3ba54e7951e26dfbfe337d5149802c6349edf846bd682a2fe8e162

SHA512
6bda3c42236b67440edea1d8516747cad1192c3bd34fa16330ab4838f905e960facbea7810010a81047941dcb6789c17536054414a0adeb476fad45c7763ed4c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f532cf823d92cee9f8c3d40226aef823

SHA1
d6a67de40f81b9f8e2028f99396d6e252b9ef761

SHA256
bc7e8e98e67ed3d231f2d9682945e2f270830de5dbf0e5da09875aa9b08d3e77

SHA512
4af511e053e2ac0fca5f3fc852e4f9d6cfddfae22b7e2c62fb7b61312c21041cd15f067bf952dbfbc1d559e2f1fe05345f603292d104136d493ddda31a5904c7

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/576-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-243-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-235-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-237-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-217-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-240-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-245-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-247-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/576-251-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/916-99-0x0000000070B70000-0x0000000070EC4000-memory.dmp

Filesize
3.3MB

Download
memory/916-98-0x00000000703B0000-0x00000000703FC000-memory.dmp

Filesize
304KB

Download
memory/916-93-0x0000000005350000-0x00000000056A4000-memory.dmp

Filesize
3.3MB

Download
memory/976-44-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/976-6-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/976-29-0x00000000071C0000-0x00000000071F2000-memory.dmp

Filesize
200KB

Download
memory/976-46-0x00000000073D0000-0x0000000007466000-memory.dmp

Filesize
600KB

Download
memory/976-47-0x0000000007330000-0x0000000007341000-memory.dmp

Filesize
68KB

Download
memory/976-48-0x0000000007370000-0x000000000737E000-memory.dmp

Filesize
56KB

Download
memory/976-49-0x0000000007380000-0x0000000007394000-memory.dmp

Filesize
80KB

Download
memory/976-51-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/976-50-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/976-54-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/976-25-0x0000000006F70000-0x0000000006FE6000-memory.dmp

Filesize
472KB

Download
memory/976-22-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/976-30-0x00000000702B0000-0x00000000702FC000-memory.dmp

Filesize
304KB

Download
memory/976-21-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/976-11-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/976-4-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/976-5-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/976-7-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/976-8-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/976-23-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/976-41-0x0000000007200000-0x000000000721E000-memory.dmp

Filesize
120KB

Download
memory/976-26-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/976-10-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/976-45-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/976-43-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/976-9-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/976-42-0x0000000007220000-0x00000000072C3000-memory.dmp

Filesize
652KB

Download
memory/976-27-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/976-24-0x00000000061C0000-0x0000000006204000-memory.dmp

Filesize
272KB

Download
memory/976-31-0x0000000070430000-0x0000000070784000-memory.dmp

Filesize
3.3MB

Download
memory/1384-176-0x00000000054E0000-0x0000000005834000-memory.dmp

Filesize
3.3MB

Download
memory/1384-178-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/1384-190-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/1384-180-0x00000000709E0000-0x0000000070D34000-memory.dmp

Filesize
3.3MB

Download
memory/1384-179-0x0000000070230000-0x000000007027C000-memory.dmp

Filesize
304KB

Download
memory/1384-191-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

Filesize
68KB

Download
memory/1384-192-0x0000000005980000-0x0000000005994000-memory.dmp

Filesize
80KB

Download
memory/1708-112-0x0000000005ED0000-0x0000000006224000-memory.dmp

Filesize
3.3MB

Download
memory/1708-121-0x00000000703B0000-0x00000000703FC000-memory.dmp

Filesize
304KB

Download
memory/1708-122-0x0000000070B50000-0x0000000070EA4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-28-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1792-1-0x0000000004810000-0x0000000004C0F000-memory.dmp

Filesize
4.0MB

Download
memory/1792-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1792-2-0x0000000004C10000-0x00000000054FB000-memory.dmp

Filesize
8.9MB

Download
memory/1792-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1792-58-0x0000000004C10000-0x00000000054FB000-memory.dmp

Filesize
8.9MB

Download
memory/1792-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2424-206-0x00000000703D0000-0x0000000070724000-memory.dmp

Filesize
3.3MB

Download
memory/2424-203-0x0000000005F20000-0x0000000006274000-memory.dmp

Filesize
3.3MB

Download
memory/2424-205-0x0000000070230000-0x000000007027C000-memory.dmp

Filesize
304KB

Download
memory/2776-163-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/2776-151-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/2776-164-0x0000000007180000-0x0000000007191000-memory.dmp

Filesize
68KB

Download
memory/2776-165-0x0000000005A20000-0x0000000005A34000-memory.dmp

Filesize
80KB

Download
memory/2776-152-0x0000000070310000-0x000000007035C000-memory.dmp

Filesize
304KB

Download
memory/2776-140-0x0000000005530000-0x0000000005884000-memory.dmp

Filesize
3.3MB

Download
memory/2776-153-0x0000000070AB0000-0x0000000070E04000-memory.dmp

Filesize
3.3MB

Download
memory/3216-138-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4232-83-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/4232-82-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/4232-70-0x00000000703B0000-0x00000000703FC000-memory.dmp

Filesize
304KB

Download
memory/4232-81-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/4232-71-0x0000000070530000-0x0000000070884000-memory.dmp

Filesize
3.3MB

Download
memory/4232-69-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/4232-68-0x0000000005E40000-0x0000000006194000-memory.dmp

Filesize
3.3MB

Download
memory/4480-234-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4480-230-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4480-238-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4836-231-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4836-227-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download