glupteba | edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a

Analysis

max time kernel
182s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Size

4.1MB
MD5

e90424aede26e1dab377e4fa67d993bd
SHA1

beaa664c8ae8862d51a38aad3274213c3392ab8f
SHA256

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a
SHA512

fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2
SSDEEP

98304:oRTkDuHgmYx/lUN44oPlaFTRDd8Vl17ZH+qKHzyof587dicDjg0:SumYx/lUN44oEJmBCTyoq7dicB

Score

10^/10

glupteba discovery dropper evasion loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1548-1-0x0000000002F60000-0x000000000384B000-memory.dmp	family_glupteba
behavioral2/memory/1548-2-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1548-3-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1548-7-0x0000000002F60000-0x000000000384B000-memory.dmp	family_glupteba
behavioral2/memory/1548-9-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1548-54-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1548-61-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-62-0x0000000002FA0000-0x000000000388B000-memory.dmp	family_glupteba
behavioral2/memory/1420-63-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-64-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-95-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-104-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-154-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-172-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/1420-179-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3308-194-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral2/memory/3308-228-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

220 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

3308 csrss.exe

pid	process
220	netsh.exe

pid	process
3308	csrss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

Drops file in Windows directory 2 IoCs

Processes:

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
File opened for modification	C:\Windows\rss	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4612 schtasks.exe

pid	process
4612	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exeedc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exepowershell.exeedc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1812	powershell.exe
1812	powershell.exe
1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
3704	powershell.exe
3704	powershell.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
1844	powershell.exe
1844	powershell.exe
4048	powershell.exe
4048	powershell.exe
1184	powershell.exe
1184	powershell.exe
4752	powershell.exe
4752	powershell.exe
4636	powershell.exe
4636	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exeedc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Token: SeImpersonatePrivilege	1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exeedc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.execmd.execsrss.exe

description	pid	process	target process
PID 1548 wrote to memory of 1812	1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1548 wrote to memory of 1812	1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1548 wrote to memory of 1812	1548	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 3704	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 3704	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 3704	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 1472	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	cmd.exe
PID 1420 wrote to memory of 1472	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	cmd.exe
PID 1472 wrote to memory of 220	1472	cmd.exe	netsh.exe
PID 1472 wrote to memory of 220	1472	cmd.exe	netsh.exe
PID 1420 wrote to memory of 1844	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 1844	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 1844	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 4048	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 4048	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 4048	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	powershell.exe
PID 1420 wrote to memory of 3308	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	csrss.exe
PID 1420 wrote to memory of 3308	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	csrss.exe
PID 1420 wrote to memory of 3308	1420	edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe	csrss.exe
PID 3308 wrote to memory of 1184	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 1184	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 1184	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4752	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4752	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4752	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4636	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4636	3308	csrss.exe	powershell.exe
PID 3308 wrote to memory of 4636	3308	csrss.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
"C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe
"C:\Users\Admin\AppData\Local\Temp\edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:4612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzra5ikx.3wp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
9a737c7f39de507d6b6060c2d8b62163

SHA1
ef616a0c653782ed53b1697d09fd2a0a84781a0c

SHA256
b41d3a6071e5eb127d81b4ec2708accf0f0a59653195175f4ba9b8d4d7981db0

SHA512
8b40db04f459c69b5759b422caf3a7d0fe16a8cf69831651ea3e4eb27206db5c35f608a5d868ae43433e15f14eb8e7a9c04b1ff4cb95691381a67d3b39c5e724

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
35KB

MD5
c0c4404d7fa40cfc426fa66648e532c2

SHA1
d60dcafc42c6cca766a81d5bfdd8e86978940db0

SHA256
ca8746b989ce25d54f1b7fa117f804f162d842228b7f6e9422aeaf0cc6a017f3

SHA512
c84bb02966316ee10a38f35516964e4b2730a4a36ede9e13e8b3cf8669756dc7ed44fa5d06e30347050b854e6f82219a38db13dce3b16138354aa331c73d02b9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
80c49d0dac2ace724ae6d9307af8c240

SHA1
0223a8e81d93f436c97beced7e2bd3531d6cf528

SHA256
eacb6e9c1c784c31e2cd41d536ec81769b71175c069dfdefb12faaad300a6936

SHA512
9f4591838515a29c208d4828d7c06e1225e3651d83fbfc8e348e1cee38edaad3af3970fd7381bb1b1f6ee35f5da564097d762a36b1803b75669a2d4de29be2ff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
adcbbefb38dbe64de4619518e5c82c17

SHA1
5feda8c9ae02fc9c9fdabf6aa79b9412f88fbe3c

SHA256
c9d36a2ea4b0cc2df3adcfc4c6d501d2b1216da99e77849871ce172dbe2cd051

SHA512
f364a6d09589b5840afd41f4bad518df1228a7038b721d5b37e5b25364e89f7eaee6bab5d578df312b314fe996e49b13082e19b93ad8fc0d90a2e61c4fa9dcb7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
2938fedb8e287ded5f9bd06e668cb8ad

SHA1
dcf5c527ca2c3a178ad990d70c983a90d2b4b4c5

SHA256
19a7ea09f5175a890f6c4eb2d4939fed19e65b118995d5b6596fa03fae5c3323

SHA512
2a2f0f6e5bae7d1c51cf5554d0aa60ca666cd4d83af1b151950d157b6d6cdf54107d20bca4b05018636610c6a4f0a82332875d77bcc9e32d156b3ded6d4fa508

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
5a65a8d31f238634b63c3928037937bf

SHA1
8e98d1742fbf87b4703fd1717b97015bde34cb9b

SHA256
0c8a33ef2189775cfd64921ceaed5104cb2ae8b4a4768029d147fcc544b220a9

SHA512
cf660750a64d649ff6f5a61f7b21509d5fa8bd1599de75a962c9e29c83685b28e701a829a1e555497c121ec0accaf19814bb20ca256e7fc8220cdcc0259cd936

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
930dff1111bb1fe95b50f35f9b81f8fa

SHA1
286b45d11165154d89c39e4a4e336b33f1bc148c

SHA256
fa6dd6cc9aae1c05bb9fc2ccd7f28f9c04fa9c42d8428453fc44dc31a5fe85a7

SHA512
8ccb9d6d951532c1a6f4c1d2b1d153cde4c46e29c2aeb6bdec5bd997ca80fe35d5075640471d6472c20e1af36869d385fac389714495d2620e972607d5c8d5a5

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
e90424aede26e1dab377e4fa67d993bd

SHA1
beaa664c8ae8862d51a38aad3274213c3392ab8f

SHA256
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a

SHA512
fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
e90424aede26e1dab377e4fa67d993bd

SHA1
beaa664c8ae8862d51a38aad3274213c3392ab8f

SHA256
edc7a1ca30b7dd9e8eccee42f47121d144f2bd410ae6cb522cc9b52902a1d74a

SHA512
fb7186160f8cd8dbfb386df97d1c41c402f6343d3a543f2662e2b25a037386b31c974337680fade5e62f6bae65e59815ecb5a85b15a2a6d056c52841407210c2

Download Submit
memory/1420-179-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-104-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-95-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-64-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-172-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-154-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-63-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1420-62-0x0000000002FA0000-0x000000000388B000-memory.dmp

Filesize
8.9MB

Download
memory/1548-7-0x0000000002F60000-0x000000000384B000-memory.dmp

Filesize
8.9MB

Download
memory/1548-9-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-0-0x0000000002B60000-0x0000000002F58000-memory.dmp

Filesize
4.0MB

Download
memory/1548-54-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-4-0x0000000002B60000-0x0000000002F58000-memory.dmp

Filesize
4.0MB

Download
memory/1548-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-2-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1548-1-0x0000000002F60000-0x000000000384B000-memory.dmp

Filesize
8.9MB

Download
memory/1548-61-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1812-32-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1812-35-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/1812-50-0x0000000007190000-0x0000000007233000-memory.dmp

Filesize
652KB

Download
memory/1812-51-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/1812-52-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/1812-53-0x00000000072A0000-0x00000000072B1000-memory.dmp

Filesize
68KB

Download
memory/1812-39-0x0000000070910000-0x0000000070C64000-memory.dmp

Filesize
3.3MB

Download
memory/1812-55-0x00000000072E0000-0x00000000072EE000-memory.dmp

Filesize
56KB

Download
memory/1812-56-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/1812-57-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/1812-58-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/1812-60-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1812-38-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/1812-37-0x0000000007150000-0x0000000007182000-memory.dmp

Filesize
200KB

Download
memory/1812-36-0x000000007F450000-0x000000007F460000-memory.dmp

Filesize
64KB

Download
memory/1812-31-0x0000000006120000-0x0000000006164000-memory.dmp

Filesize
272KB

Download
memory/1812-5-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1812-6-0x0000000002530000-0x0000000002566000-memory.dmp

Filesize
216KB

Download
memory/1812-8-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1812-10-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/1812-12-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/1812-13-0x0000000004CF0000-0x0000000004D56000-memory.dmp

Filesize
408KB

Download
memory/1812-14-0x0000000004D60000-0x0000000004DC6000-memory.dmp

Filesize
408KB

Download
memory/1812-24-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/1812-25-0x0000000005970000-0x000000000598E000-memory.dmp

Filesize
120KB

Download
memory/1812-34-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/1812-26-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1812-49-0x0000000007130000-0x000000000714E000-memory.dmp

Filesize
120KB

Download
memory/1812-27-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/1812-28-0x00000000060D0000-0x000000000611C000-memory.dmp

Filesize
304KB

Download
memory/1812-33-0x0000000006EF0000-0x0000000006F66000-memory.dmp

Filesize
472KB

Download
memory/1844-139-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1844-137-0x0000000007480000-0x0000000007494000-memory.dmp

Filesize
80KB

Download
memory/1844-109-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1844-111-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1844-110-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1844-123-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1844-125-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

Filesize
64KB

Download
memory/1844-126-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/1844-127-0x0000000070EE0000-0x0000000071234000-memory.dmp

Filesize
3.3MB

Download
memory/3308-228-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3308-194-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/3704-81-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3704-82-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/3704-65-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3704-103-0x0000000007420000-0x0000000007434000-memory.dmp

Filesize
80KB

Download
memory/3704-96-0x00000000073D0000-0x00000000073E1000-memory.dmp

Filesize
68KB

Download
memory/3704-94-0x0000000007120000-0x00000000071C3000-memory.dmp

Filesize
652KB

Download
memory/3704-83-0x0000000070EE0000-0x0000000071234000-memory.dmp

Filesize
3.3MB

Download
memory/3704-97-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3704-107-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3704-80-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3704-79-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3704-67-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3704-98-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/3704-66-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4048-141-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/4048-140-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download