glupteba | 0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308

Analysis

max time kernel
92s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Size

4.1MB
MD5

9b58cd3580f7856ddb5893af6db26d7c
SHA1

5859a1a2d25dc22322ab3d38df05b97e64e11991
SHA256

0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308
SHA512

024e26ab7c7cbc5a835c62c1ea5cb6d6183ae3984513765b347f0988f16322cf883b09928734d2c6c24dc8e2f14a9b44e3704b810c1b629641a6ef2589a91119
SSDEEP

98304:ab4JZ188yFg2NHKKQqaBHENhLOMTEbJ8tA7UUJu481DBGo:JBdQ1naH+hM1NF8Wo

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1028-2-0x0000000003FF0000-0x00000000048DB000-memory.dmp	family_glupteba
behavioral1/memory/1028-3-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/1028-4-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/1028-5-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/1028-9-0x0000000003FF0000-0x00000000048DB000-memory.dmp	family_glupteba
behavioral1/memory/1028-38-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/1028-66-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4960-68-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4960-102-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4960-156-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/4960-162-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-232-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-267-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-276-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-278-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-280-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba
behavioral1/memory/2832-282-0x0000000000400000-0x0000000001DEE000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2900 netsh.exe

pid	process
2900	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/2288-275-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2172-277-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2172-281-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2368 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2804 schtasks.exe
316 schtasks.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe

pid	process
2368	sc.exe

pid	process
2804	schtasks.exe
316	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exe0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exe0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exepowershell.exe0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exepowershell.exepowershell.exe

pid	process
1980	powershell.exe
1980	powershell.exe
1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
548	powershell.exe
548	powershell.exe
548	powershell.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exe0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Token: SeImpersonatePrivilege	1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 1980	1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 1028 wrote to memory of 1980	1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 1028 wrote to memory of 1980	1028	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 548	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 548	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 548	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 1380	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	cmd.exe
PID 4960 wrote to memory of 1380	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	cmd.exe
PID 1380 wrote to memory of 2900	1380	cmd.exe	netsh.exe
PID 1380 wrote to memory of 2900	1380	cmd.exe	netsh.exe
PID 4960 wrote to memory of 3128	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 3128	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 3128	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 4440	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 4440	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe
PID 4960 wrote to memory of 4440	4960	0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
"C:\Users\Admin\AppData\Local\Temp\0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe
"C:\Users\Admin\AppData\Local\Temp\0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308.exe"
2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3460

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:316

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:4416

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2804

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2360

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4872

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vfjjmjtd.dtk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
67793a75c49c1ee4ad1f9f60c1553c35

SHA1
2117c10314a30bc58b97c74f9b75a62a9ccb1f18

SHA256
87f369f7c41ddd6a864128b7d0bfcd2f74758f06ef17589929d462464152f5f3

SHA512
5595ba1e44b9c4e2d67711fcac613c04f4c7c58260dc223eb3bda6bfd103282d7e74afd3b3c895921e1b906bda6f153022c8aaf209ed84b1db02140bb5e73296

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2e4ed0bf3c2444129838439d4594bf6d

SHA1
d403f0e5aaf18f1b6398956ad24fb5c489c36b4e

SHA256
8989e8c9194e3e6750cb5dd6d3e0002489635737cdc54dce9fb7a46ae0f6f488

SHA512
a2eeb85ae4b503941a74310e91adf0c9e556a1fc91a724da054debfe758c3bc51eca0e70854faf1aeeb7d15a04acb90b97624a80f11dae5673bf96da60b146f3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
ab8b3bc8d49c743f09205a5101d4abb0

SHA1
18d0924134f62182ca0dc555777173aa9c083b08

SHA256
d156ddf24dcc30ac3b99cc227e6d6b5aae7e93a40faccfc23a653dac2003e44e

SHA512
93bf875595f3105ce405cb4656a9c5a51bed3ce79f0bcafe5ec2dee8d9c3fce15ed3463689d380541089bccd42163fdfe5efa1bb091121d7a4731696b82c63f5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
a253dee5ad77edb4b547e63d94401b07

SHA1
9fd49104130cc71d7e926ff585720d5d0d4c55b9

SHA256
90e6cab2956313f68c6101474b4bba08c70f7a418eda00b1f2c8e11bbc8df871

SHA512
68e93401b9061f42a5a0b977d521f125e56370efe3d731fc3894e54369a52b9d5d60c994a9b3f3ba713f97a10a16317e1b990a69c9a04d6da835e62288889072

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
bc497fe375158d3ca6e5e9e8a52f52b4

SHA1
707076c9a9cd7e4b74bfa6ae1da1c78eb6c5b6e6

SHA256
48641eb8a9354ab8b70f9b1ca47b5b7b6a3890b6fee33c0ccfbb9af30e0f3edf

SHA512
a4cf05c25d6a2b762a07495873606e0fb5cf81ab22f6d25239b75a1393af8b6dc6318d585cb5d9d84400ca1144239998d19b11d71b9e46e4808cffb07bfd49dd

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
9b58cd3580f7856ddb5893af6db26d7c

SHA1
5859a1a2d25dc22322ab3d38df05b97e64e11991

SHA256
0e7f7e2f2aec52affc5c46f99050a6a1377a97417a361bd92ee266c490997308

SHA512
024e26ab7c7cbc5a835c62c1ea5cb6d6183ae3984513765b347f0988f16322cf883b09928734d2c6c24dc8e2f14a9b44e3704b810c1b629641a6ef2589a91119

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/548-85-0x00000000710A0000-0x00000000713F4000-memory.dmp

Filesize
3.3MB

Download
memory/548-81-0x0000000005CE0000-0x0000000006034000-memory.dmp

Filesize
3.3MB

Download
memory/548-70-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/548-69-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/548-71-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/548-82-0x00000000065B0000-0x00000000065FC000-memory.dmp

Filesize
304KB

Download
memory/548-84-0x0000000070900000-0x000000007094C000-memory.dmp

Filesize
304KB

Download
memory/548-100-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/548-83-0x000000007F810000-0x000000007F820000-memory.dmp

Filesize
64KB

Download
memory/548-97-0x0000000007880000-0x0000000007894000-memory.dmp

Filesize
80KB

Download
memory/548-96-0x0000000007810000-0x0000000007821000-memory.dmp

Filesize
68KB

Download
memory/548-95-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/1028-66-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/1028-6-0x0000000003BE0000-0x0000000003FE2000-memory.dmp

Filesize
4.0MB

Download
memory/1028-2-0x0000000003FF0000-0x00000000048DB000-memory.dmp

Filesize
8.9MB

Download
memory/1028-3-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/1028-5-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/1028-38-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/1028-4-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/1028-9-0x0000000003FF0000-0x00000000048DB000-memory.dmp

Filesize
8.9MB

Download
memory/1028-1-0x0000000003BE0000-0x0000000003FE2000-memory.dmp

Filesize
4.0MB

Download
memory/1980-29-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/1980-33-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1980-53-0x00000000077F0000-0x0000000007893000-memory.dmp

Filesize
652KB

Download
memory/1980-54-0x0000000007780000-0x000000000778A000-memory.dmp

Filesize
40KB

Download
memory/1980-55-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/1980-56-0x0000000007670000-0x0000000007681000-memory.dmp

Filesize
68KB

Download
memory/1980-57-0x0000000007950000-0x000000000795E000-memory.dmp

Filesize
56KB

Download
memory/1980-58-0x0000000007A80000-0x0000000007A94000-memory.dmp

Filesize
80KB

Download
memory/1980-60-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/1980-61-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

Filesize
32KB

Download
memory/1980-64-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1980-42-0x0000000070F60000-0x00000000712B4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-7-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1980-8-0x0000000002C20000-0x0000000002C56000-memory.dmp

Filesize
216KB

Download
memory/1980-41-0x0000000070800000-0x000000007084C000-memory.dmp

Filesize
304KB

Download
memory/1980-40-0x00000000077B0000-0x00000000077E2000-memory.dmp

Filesize
200KB

Download
memory/1980-39-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

Filesize
64KB

Download
memory/1980-37-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1980-36-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/1980-35-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/1980-34-0x0000000007550000-0x00000000075C6000-memory.dmp

Filesize
472KB

Download
memory/1980-52-0x0000000007790000-0x00000000077AE000-memory.dmp

Filesize
120KB

Download
memory/1980-32-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1980-31-0x0000000074960000-0x0000000075110000-memory.dmp

Filesize
7.7MB

Download
memory/1980-30-0x0000000006850000-0x0000000006894000-memory.dmp

Filesize
272KB

Download
memory/1980-28-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/1980-22-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-10-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1980-11-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/1980-12-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/1980-14-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/1980-15-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/1980-16-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/2172-277-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2172-281-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2288-275-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2832-267-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/2832-276-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/2832-278-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/2832-232-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/2832-280-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/2832-282-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/3128-119-0x00000000710A0000-0x00000000713F4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-104-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3128-103-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3128-105-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3128-117-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/3128-118-0x0000000070900000-0x000000007094C000-memory.dmp

Filesize
304KB

Download
memory/3128-130-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-131-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-132-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/4440-142-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4440-144-0x000000007F2A0000-0x000000007F2B0000-memory.dmp

Filesize
64KB

Download
memory/4960-111-0x0000000003C40000-0x0000000004044000-memory.dmp

Filesize
4.0MB

Download
memory/4960-162-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4960-156-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4960-102-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4960-68-0x0000000000400000-0x0000000001DEE000-memory.dmp

Filesize
25.9MB

Download
memory/4960-67-0x0000000003C40000-0x0000000004044000-memory.dmp

Filesize
4.0MB

Download