glupteba | a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
19/05/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Size

4.1MB
MD5

1f124de6e22eec25f5bf12a0cead0aa3
SHA1

df5bc45560c47326fc8ebea422dd2a31e269cfe6
SHA256

a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455
SHA512

aaaa8aadb4393400f310d7a8d9a684fda9f015e5e10c8619ada333113aa9e1a0bfb70e580b66d6b41c3acdd15b7bf322d74946880959ffb18baa788432186d11
SSDEEP

98304:ovCQaDBnSWO/B+XxjapSyZlG1PnsYHdaWgIg92gsnC3bzMZh6P1W:ovC3DFSWO/BjYGk1PnXHoWWZ1za6NW

Score

10^/10

glupteba discovery dropper evasion execution loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral2/memory/408-2-0x0000000004670000-0x0000000004F5B000-memory.dmp	family_glupteba
behavioral2/memory/408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/408-51-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/408-54-0x0000000004670000-0x0000000004F5B000-memory.dmp	family_glupteba
behavioral2/memory/408-53-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2264-125-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-197-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-204-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-212-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-220-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-228-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-236-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-244-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-252-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-260-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-268-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-276-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-284-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba
behavioral2/memory/4296-292-0x0000000000400000-0x0000000002365000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
832	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4296	csrss.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2748-200-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2748-203-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4620-202-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4620-211-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4620-227-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
File created	C:\Windows\rss\csrss.exe	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3584	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2840	powershell.exe
4756	powershell.exe
3344	powershell.exe
4744	powershell.exe
2376	powershell.exe
4512	powershell.exe
3924	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4972	schtasks.exe
480	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe
408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2376	powershell.exe
2376	powershell.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
4512	powershell.exe
4512	powershell.exe
3924	powershell.exe
3924	powershell.exe
2840	powershell.exe
2840	powershell.exe
4756	powershell.exe
4756	powershell.exe
3344	powershell.exe
3344	powershell.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe
1716	injector.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Token: SeImpersonatePrivilege	408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeSecurityPrivilege	3584	sc.exe
Token: SeSecurityPrivilege	3584	sc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4744	408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	82
PID 408 wrote to memory of 4744	408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	82
PID 408 wrote to memory of 4744	408	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	82
PID 2264 wrote to memory of 2376	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	88
PID 2264 wrote to memory of 2376	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	88
PID 2264 wrote to memory of 2376	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	88
PID 2264 wrote to memory of 4868	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	90
PID 2264 wrote to memory of 4868	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	90
PID 4868 wrote to memory of 832	4868	cmd.exe	92
PID 4868 wrote to memory of 832	4868	cmd.exe	92
PID 2264 wrote to memory of 4512	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	93
PID 2264 wrote to memory of 4512	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	93
PID 2264 wrote to memory of 4512	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	93
PID 2264 wrote to memory of 3924	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	95
PID 2264 wrote to memory of 3924	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	95
PID 2264 wrote to memory of 3924	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	95
PID 2264 wrote to memory of 4296	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	97
PID 2264 wrote to memory of 4296	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	97
PID 2264 wrote to memory of 4296	2264	a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe	97
PID 2748 wrote to memory of 3060	2748	windefender.exe	114
PID 2748 wrote to memory of 3060	2748	windefender.exe	114
PID 2748 wrote to memory of 3060	2748	windefender.exe	114
PID 3060 wrote to memory of 3584	3060	cmd.exe	115
PID 3060 wrote to memory of 3584	3060	cmd.exe	115
PID 3060 wrote to memory of 3584	3060	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
"C:\Users\Admin\AppData\Local\Temp\a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe
  "C:\Users\Admin\AppData\Local\Temp\a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4972
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1716
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:480
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Modifies data under HKEY_USERS
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n25i13m3.nqv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c6a1cd24412f4a1ed2d71cc29830c572

SHA1
2b9ced8a66131f6beadbc0c4c7152ef35c8dfeaa

SHA256
026395e7ec3ff7229f44841178e1483c4e5e5ca21d65a371fcd1d55b5fc74472

SHA512
0a79894fde88ac00ce0db627680fa1b3ec0c5857155ac86f8cfccff0b82d6a2e290f9a33b64f20746494a4cf40dbb095d9dd413508aa9952e826453bd1ef60cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e41010bc6300829b8025dc55bc55a9ec

SHA1
92e1a0bdc1c88b459c42f91081553efc72704b35

SHA256
b31c0b975251d364006831eeec473f8015d5ba3419a6bc041f30ed29d0fdd164

SHA512
f850fa6309b30d8d8114438779866c1b2070951ee7ff7a80719202ec4706b11ce167f9d70331bc69e7bf39142121cdb52d7c23f2d71736664d464ab06bdd2a75

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8cb918173bc6df60c4d66efc30ca976b

SHA1
7e04f1028c5c055457ae950d2b6af34cacb04f5a

SHA256
9f00f24603a67cf4f5e67577b0114038f7b7abd84658f422fda47e109cc4b5ac

SHA512
a1415ad3b9bcad053ca6798ac2b9e7469e52e936e85e755ed5a735d62ab9ddb2f592fe71159409242c688bf839a99f3084c3ac1e10724af1e79997f09c0e3283

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
18cd9418b1fb35d04a21ea65238e8e68

SHA1
241bcebec35dd76d70242582b3f9093e06a5e165

SHA256
ce6a8befe2a232fafeff7b47adca51bc40e7ef68faabe5a89db7b114de9d9de0

SHA512
651fa18ccd730c6bf88d6c3adf1dc8056af6b0ff5f9a3a3df1a83d2f2e5ed00dd74d01aa516ba32f302092de07cb9cf92c4992ab3ae7312046a27452e0215008

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
81427c4e8e94db0d237a65f013feec93

SHA1
4f85fd846e3e04e37faec3d37b0e1cde9bf6ac7e

SHA256
360c2984319e854c1e8560ef7238cd8d6b4b3fc60378712db5cb985a61046bbc

SHA512
eca086407fcf50794a78b2ed0ff3d4dcdc33241afb87ad64cdf8a0ab3e7bd738ab1a04d504cae983dc6f79c93ac9239f5e44b3cc6354295cfc449d79daa0bdac

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
1f124de6e22eec25f5bf12a0cead0aa3

SHA1
df5bc45560c47326fc8ebea422dd2a31e269cfe6

SHA256
a90c79757efb6a38fde629f143c1f4dc877b08ca2db4e3ea12f71d537cdf9455

SHA512
aaaa8aadb4393400f310d7a8d9a684fda9f015e5e10c8619ada333113aa9e1a0bfb70e580b66d6b41c3acdd15b7bf322d74946880959ffb18baa788432186d11

Download Submit
memory/408-1-0x0000000004260000-0x0000000004663000-memory.dmp

Filesize
4.0MB

Download
memory/408-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/408-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/408-2-0x0000000004670000-0x0000000004F5B000-memory.dmp

Filesize
8.9MB

Download
memory/408-54-0x0000000004670000-0x0000000004F5B000-memory.dmp

Filesize
8.9MB

Download
memory/408-51-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/2264-125-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/2376-75-0x0000000006CE0000-0x0000000006D84000-memory.dmp

Filesize
656KB

Download
memory/2376-76-0x0000000007000000-0x0000000007011000-memory.dmp

Filesize
68KB

Download
memory/2376-64-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/2376-65-0x0000000071190000-0x00000000711DC000-memory.dmp

Filesize
304KB

Download
memory/2376-63-0x0000000005560000-0x00000000058B7000-memory.dmp

Filesize
3.3MB

Download
memory/2376-77-0x0000000007050000-0x0000000007065000-memory.dmp

Filesize
84KB

Download
memory/2376-66-0x0000000071330000-0x0000000071687000-memory.dmp

Filesize
3.3MB

Download
memory/2748-203-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2748-200-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2840-147-0x0000000006CA0000-0x0000000006D44000-memory.dmp

Filesize
656KB

Download
memory/2840-149-0x0000000005850000-0x0000000005865000-memory.dmp

Filesize
84KB

Download
memory/2840-148-0x0000000007000000-0x0000000007011000-memory.dmp

Filesize
68KB

Download
memory/2840-138-0x0000000071340000-0x0000000071697000-memory.dmp

Filesize
3.3MB

Download
memory/2840-136-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/2840-137-0x00000000710F0000-0x000000007113C000-memory.dmp

Filesize
304KB

Download
memory/2840-126-0x0000000005490000-0x00000000057E7000-memory.dmp

Filesize
3.3MB

Download
memory/3344-187-0x0000000071190000-0x00000000714E7000-memory.dmp

Filesize
3.3MB

Download
memory/3344-184-0x0000000005930000-0x0000000005C87000-memory.dmp

Filesize
3.3MB

Download
memory/3344-186-0x0000000071010000-0x000000007105C000-memory.dmp

Filesize
304KB

Download
memory/3924-111-0x0000000071190000-0x00000000711DC000-memory.dmp

Filesize
304KB

Download
memory/3924-112-0x0000000071330000-0x0000000071687000-memory.dmp

Filesize
3.3MB

Download
memory/4296-228-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-236-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-205-0x0000000075810000-0x0000000075851000-memory.dmp

Filesize
260KB

Download
memory/4296-220-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-212-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-204-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-198-0x0000000075810000-0x0000000075851000-memory.dmp

Filesize
260KB

Download
memory/4296-244-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-197-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-252-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-260-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-268-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-276-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-209-0x0000000075680000-0x00000000756C1000-memory.dmp

Filesize
260KB

Download
memory/4296-208-0x00000000756C0000-0x00000000756D1000-memory.dmp

Filesize
68KB

Download
memory/4296-284-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4296-292-0x0000000000400000-0x0000000002365000-memory.dmp

Filesize
31.4MB

Download
memory/4512-92-0x00000000713E0000-0x0000000071737000-memory.dmp

Filesize
3.3MB

Download
memory/4512-86-0x00000000062F0000-0x0000000006647000-memory.dmp

Filesize
3.3MB

Download
memory/4512-91-0x0000000071190000-0x00000000711DC000-memory.dmp

Filesize
304KB

Download
memory/4620-202-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4620-227-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4620-211-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4744-21-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4744-47-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/4744-4-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/4744-43-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

Filesize
68KB

Download
memory/4744-5-0x0000000002FE0000-0x0000000003016000-memory.dmp

Filesize
216KB

Download
memory/4744-7-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-6-0x0000000005900000-0x0000000005F2A000-memory.dmp

Filesize
6.2MB

Download
memory/4744-8-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/4744-10-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4744-9-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/4744-42-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/4744-41-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

Filesize
40KB

Download
memory/4744-40-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/4744-39-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/4744-38-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-25-0x0000000071080000-0x00000000710CC000-memory.dmp

Filesize
304KB

Download
memory/4744-36-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-37-0x0000000007950000-0x00000000079F4000-memory.dmp

Filesize
656KB

Download
memory/4744-45-0x0000000007B30000-0x0000000007B45000-memory.dmp

Filesize
84KB

Download
memory/4744-35-0x0000000007930000-0x000000000794E000-memory.dmp

Filesize
120KB

Download
memory/4744-26-0x0000000071290000-0x00000000715E7000-memory.dmp

Filesize
3.3MB

Download
memory/4744-24-0x00000000078D0000-0x0000000007904000-memory.dmp

Filesize
208KB

Download
memory/4744-23-0x00000000068E0000-0x0000000006926000-memory.dmp

Filesize
280KB

Download
memory/4744-46-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/4744-22-0x0000000006500000-0x000000000654C000-memory.dmp

Filesize
304KB

Download
memory/4744-44-0x0000000007B20000-0x0000000007B2E000-memory.dmp

Filesize
56KB

Download
memory/4744-50-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/4744-20-0x0000000006010000-0x0000000006367000-memory.dmp

Filesize
3.3MB

Download
memory/4744-11-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/4756-174-0x0000000006430000-0x0000000006445000-memory.dmp

Filesize
84KB

Download
memory/4756-173-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/4756-163-0x00000000711B0000-0x0000000071507000-memory.dmp

Filesize
3.3MB

Download
memory/4756-172-0x0000000007890000-0x0000000007934000-memory.dmp

Filesize
656KB

Download
memory/4756-162-0x0000000071010000-0x000000007105C000-memory.dmp

Filesize
304KB

Download
memory/4756-161-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/4756-159-0x0000000006070000-0x00000000063C7000-memory.dmp

Filesize
3.3MB

Download