glupteba | 0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4

Analysis

max time kernel
128s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Size

4.1MB
MD5

ccf94686f68da39e4fe68420b6dc7927
SHA1

26971b49a882e91df8df18d470ca76b4ca9aeb16
SHA256

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4
SHA512

d2387543cf71ee3a9a31945d50d596fa3ad49216727c8352002f414d7cbb12fa9a4e0bcb6f27e4f55677c7c4617b916a33527426519a26ffccf3302ee0b10d75
SSDEEP

98304:Kb4JZ188yFg2NHKKQqaBHENhLOMTEbJ8tA7UUJu481DBGc:ZBdQ1naH+hM1NF8Wc

Score

10^/10

glupteba dropper evasion loader persistence upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4076-2-0x00000000041F0000-0x0000000004ADB000-memory.dmp	family_glupteba
behavioral1/memory/4076-3-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4076-4-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4076-5-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4076-8-0x00000000041F0000-0x0000000004ADB000-memory.dmp	family_glupteba
behavioral1/memory/4076-36-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4076-57-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/440-67-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4076-81-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/440-102-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/440-160-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/440-199-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4792-218-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4792-270-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4792-279-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4216 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

4792 csrss.exe

pid	process
4216	netsh.exe

pid	process
4792	csrss.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/1424-281-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

Drops file in Windows directory 2 IoCs

Processes:

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

description	ioc	process
File opened for modification	C:\Windows\rss	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
File created	C:\Windows\rss\csrss.exe	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1708 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1700 schtasks.exe
2540 schtasks.exe

pid	process
1708	sc.exe

pid	process
1700	schtasks.exe
2540	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exe0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exepowershell.exe0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exepowershell.exepowershell.exepowershell.exe

pid	process
1400	powershell.exe
1400	powershell.exe
4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exe0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Token: SeImpersonatePrivilege	4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	3556	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.execmd.execsrss.exe

description	pid	process	target process
PID 4076 wrote to memory of 1400	4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 4076 wrote to memory of 1400	4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 4076 wrote to memory of 1400	4076	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 3616	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 3616	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 3616	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 1768	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	cmd.exe
PID 440 wrote to memory of 1768	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	cmd.exe
PID 1768 wrote to memory of 4216	1768	cmd.exe	netsh.exe
PID 1768 wrote to memory of 4216	1768	cmd.exe	netsh.exe
PID 440 wrote to memory of 2440	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 2440	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 2440	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 4612	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 4612	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 4612	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	powershell.exe
PID 440 wrote to memory of 4792	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	csrss.exe
PID 440 wrote to memory of 4792	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	csrss.exe
PID 440 wrote to memory of 4792	440	0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe	csrss.exe
PID 4792 wrote to memory of 3556	4792	csrss.exe	powershell.exe
PID 4792 wrote to memory of 3556	4792	csrss.exe	powershell.exe
PID 4792 wrote to memory of 3556	4792	csrss.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
"C:\Users\Admin\AppData\Local\Temp\0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Users\Admin\AppData\Local\Temp\0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe
"C:\Users\Admin\AppData\Local\Temp\0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4.exe"
2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:1092

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:396

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2588

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pskg2eii.qh1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
cc074368c6faaf04927c559b5c03b574

SHA1
ea8a4ac4b6ed023edc5992291faebd96b6da7cc0

SHA256
305a8df1a4a6434c3b2a08776a6962f3bb76960328c2a80adc2bf87ca9c20d22

SHA512
15560e2f6baf58101da14135292eb1b8b6658892bd4a9b4feaa05f64109eed8b8ce851e794a82e862df78a9385e500770fd07477510d2a1726270a7752a5f1e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f2094703bd00fff0f605d830ba52be84

SHA1
578d51f7ce2063f8da1458ebe6b431728aadf4e4

SHA256
750a9f2f14f984349623986139f2ac88a85d786e30bc960c9db920d612f12612

SHA512
f226e7138e6af0b62a6b3492e097a18e3720a3d011b4567372729da57c1e6be14f0fb231fb5692d88dae361271841cf71355429614bd3e6fad56e6debd45e427

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
c8074b459b92e9dce7b0f7da776edb8a

SHA1
50890e906d7f58fed6e0885fb0a0ec0b1494e096

SHA256
f180a2a262a6519f487bd9a462db58f21478f7e022bb738835bcfce0f5198f80

SHA512
945239f4e507e7ca43b7af249746a345a10cda4d4c4a308af2e1c515915ae4d2f56e0f880900d8348e20fc718a944bae56487ff3395cbdc8ed41d8c7f71b40dd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b08912f1185f1b73e1107dbf073a7a5b

SHA1
ee64359f0eb446fd5a0a90b7f31ef060cb68ccb1

SHA256
ad4934abc02f4711aadf1ea1bd0d89d84f587f159a552efd22615bbaa34374e5

SHA512
37db365d3ccd79523238b2945b66566c401034ca829d1924bed1970a7a64daa21c487521228ccef30c9df105a0c1fde779eb57f9f0e45ce3b99ec4af498c5e7b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
036b856933034ecba14651023be5df61

SHA1
0bfc7b409122f7ec69be704bcbede8c93a14a95a

SHA256
bd2b4d760717d7169b352e41183c54c83c053b4eaf50f935374428dba65a9a24

SHA512
ab312c603d5fb85d22e3cd55dd752a2ae8cf21f9025ddb9d6f64a0d01d2d0b19c3ef6c9494a5bb396bc96a347e72a29dc7ae8b16094ca4d2411f7e7f64a369dc

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
ccf94686f68da39e4fe68420b6dc7927

SHA1
26971b49a882e91df8df18d470ca76b4ca9aeb16

SHA256
0529c91f8c556990a43b8d47753a698053bca27665f11d3959884cb8ad72e5b4

SHA512
d2387543cf71ee3a9a31945d50d596fa3ad49216727c8352002f414d7cbb12fa9a4e0bcb6f27e4f55677c7c4617b916a33527426519a26ffccf3302ee0b10d75

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/440-160-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/440-103-0x0000000003B70000-0x0000000003F78000-memory.dmp

Filesize
4.0MB

Download
memory/440-102-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/440-199-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/440-67-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/440-66-0x0000000003B70000-0x0000000003F78000-memory.dmp

Filesize
4.0MB

Download
memory/1400-33-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1400-54-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/1400-30-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/1400-31-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/1400-32-0x00000000061F0000-0x0000000006234000-memory.dmp

Filesize
272KB

Download
memory/1400-15-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1400-34-0x0000000006FA0000-0x0000000007016000-memory.dmp

Filesize
472KB

Download
memory/1400-35-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/1400-37-0x0000000007040000-0x000000000705A000-memory.dmp

Filesize
104KB

Download
memory/1400-7-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1400-38-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1400-39-0x000000007F600000-0x000000007F610000-memory.dmp

Filesize
64KB

Download
memory/1400-40-0x0000000007200000-0x0000000007232000-memory.dmp

Filesize
200KB

Download
memory/1400-41-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/1400-42-0x0000000070EF0000-0x0000000071244000-memory.dmp

Filesize
3.3MB

Download
memory/1400-52-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/1400-53-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/1400-16-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/1400-55-0x00000000073D0000-0x0000000007466000-memory.dmp

Filesize
600KB

Download
memory/1400-56-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/1400-10-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1400-58-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/1400-59-0x00000000074D0000-0x00000000074E4000-memory.dmp

Filesize
80KB

Download
memory/1400-60-0x0000000007510000-0x000000000752A000-memory.dmp

Filesize
104KB

Download
memory/1400-61-0x0000000007500000-0x0000000007508000-memory.dmp

Filesize
32KB

Download
memory/1400-64-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/1400-18-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/1400-17-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/1400-11-0x0000000004680000-0x00000000046B6000-memory.dmp

Filesize
216KB

Download
memory/1400-24-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/1400-13-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1400-14-0x0000000004D10000-0x0000000005338000-memory.dmp

Filesize
6.2MB

Download
memory/1424-281-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2440-122-0x0000000070F30000-0x0000000071284000-memory.dmp

Filesize
3.3MB

Download
memory/2440-114-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-133-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/2440-121-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/2440-120-0x000000007EE50000-0x000000007EE60000-memory.dmp

Filesize
64KB

Download
memory/2440-119-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2440-116-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2440-115-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2440-113-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/3616-69-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/3616-70-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/3616-72-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/3616-82-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/3616-100-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3616-97-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

Filesize
80KB

Download
memory/3616-68-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/3616-96-0x0000000007E30000-0x0000000007E41000-memory.dmp

Filesize
68KB

Download
memory/3616-95-0x0000000007B20000-0x0000000007BC3000-memory.dmp

Filesize
652KB

Download
memory/3616-85-0x0000000070F10000-0x0000000071264000-memory.dmp

Filesize
3.3MB

Download
memory/3616-84-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/3616-83-0x000000007F1E0000-0x000000007F1F0000-memory.dmp

Filesize
64KB

Download
memory/4076-6-0x0000000003DE0000-0x00000000041E3000-memory.dmp

Filesize
4.0MB

Download
memory/4076-81-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4076-1-0x0000000003DE0000-0x00000000041E3000-memory.dmp

Filesize
4.0MB

Download
memory/4076-2-0x00000000041F0000-0x0000000004ADB000-memory.dmp

Filesize
8.9MB

Download
memory/4076-57-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4076-8-0x00000000041F0000-0x0000000004ADB000-memory.dmp

Filesize
8.9MB

Download
memory/4076-36-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4076-3-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4076-5-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4076-4-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4612-135-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4612-134-0x00000000748F0000-0x00000000750A0000-memory.dmp

Filesize
7.7MB

Download
memory/4612-136-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/4792-218-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4792-270-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4792-279-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download