glupteba | dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c

Analysis

max time kernel
82s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Size

4.1MB
MD5

c72b82ed3bd518f7c3046e31ab2a86dd
SHA1

7b574fb217baed2452febd01345fa7c4818baf69
SHA256

dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c
SHA512

f85949e6a658bdeb7f36cf7921a2715f99e0cecbc0578b5e1967e2468e5e270727b395351300f0ff761ef0120da49590e76f2531c60e0b00f2fd03ede71641af
SSDEEP

98304:F/1aS45wg9wCj95WS7Tld+z+RCAmv1nHALSIdx:F/oSJg9H959pd0eCv1HALSmx

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral1/memory/648-2-0x0000000004DC0000-0x00000000056AB000-memory.dmp	family_glupteba
behavioral1/memory/648-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/648-4-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/648-27-0x0000000004DC0000-0x00000000056AB000-memory.dmp	family_glupteba
behavioral1/memory/648-26-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/648-28-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/648-38-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/648-55-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/648-70-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/648-69-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/400-95-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/400-127-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/400-148-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/2204-216-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/2204-234-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/2204-238-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4412	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000000026-237.dat	upx
behavioral1/memory/1432-239-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2444-242-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1432-243-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2444-245-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1252	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4820	powershell.exe
1752	powershell.exe
4504	powershell.exe
4140	powershell.exe
4908	powershell.exe
4268	powershell.exe
1412	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1344	schtasks.exe
4928	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe
648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
Token: SeImpersonatePrivilege	648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1412	648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe	91
PID 648 wrote to memory of 1412	648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe	91
PID 648 wrote to memory of 1412	648	dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe	91

C:\Users\Admin\AppData\Local\Temp\dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
"C:\Users\Admin\AppData\Local\Temp\dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe
  "C:\Users\Admin\AppData\Local\Temp\dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c.exe"
  2⤵
  - Modifies data under HKEY_USERS
  PID:400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:4352
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4504
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4140
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:1344
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4340
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4928
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:4140
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3860 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2732

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayuexgpc.42l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
75f0b348b71f2849a8d8e971da9f799e

SHA1
9ddb82469c97ecab31315aa4950f391f45c95a63

SHA256
77fa2614e366e2b59f4a0e117c580f0a78b421a2b67de95e0b4774368987ee07

SHA512
3b3827a42006db827b2b6b947f32423e6d0f42937b23df2f79f675e7112f25ad985231a4fae795aab33dc3e06997bed2132466b415872260a4710798d57df3df

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
91056a0f07a65ec06c0b70cf0837fdc9

SHA1
f96dffc1a2cd96820cdcd1c40ef0b2ccb4c5f6a2

SHA256
4cfdd5eeca507c0603dcd43464ed149ccb211695cd21cd6a44ac58500da90590

SHA512
cecf179a41ba15018efa25cbeffd9051df86ba82530c81284c676c9fda2dc4d0d42041ed5672200efa773b0804d343c9e841c9ef7a03a7ece6b973c1af986a9b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
94be666cf9a6bdbfbea4270badc8330a

SHA1
8c990c1d639db5aa780aa1a4c83a680e6bcf4cc6

SHA256
dee84e6bc689c0802bbec09a232f1f9860f0a731d91f4a6221ac7787ef23c425

SHA512
c4f5e8e090ee24a7fe1adefbb6db76d150a243d6e56fd7e4817fbd6b45c0cbb759223f8a779739b2691596ab72e18806cee105fbc6483de6df4e51a2631ba15e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0befb17a8bc673600b8a845e6dd5a916

SHA1
0eeafbb3762bfc68350f9d634d4affcc6e1e283e

SHA256
b859b34ee29178a012221e5b09f3552bb1a57cb6bf48363cc2b2482ac35c8995

SHA512
ac6fd4091c9d387e9e955cd3dbc939c5aa9e6288c3884b773cc73188bdbe30c8e5462bc207912b0457faff635fec4a1ef090ae47b4aadeb01d92a3fc357d72e6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bef3a1a2aecb82254cc9db89696790d2

SHA1
6084c6caf0a213f25624571bf3ba26ba96509607

SHA256
90e5d73927a240518c00ec039ea8c1d05315cc28a75365f6f92f5024e635255e

SHA512
b4e04af3c11a5119e562877fd4def77d32f988c3c55d4d4f843cf0678943c4e462fe8e115a4fab3fc3dd7aa52df6b2de6e3e2145108e94ed91da05bb7d4aab57

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
c72b82ed3bd518f7c3046e31ab2a86dd

SHA1
7b574fb217baed2452febd01345fa7c4818baf69

SHA256
dfba663f0226b996dd8b953b9f13b1f33dfe0118ac79dbf5433d02155400da6c

SHA512
f85949e6a658bdeb7f36cf7921a2715f99e0cecbc0578b5e1967e2468e5e270727b395351300f0ff761ef0120da49590e76f2531c60e0b00f2fd03ede71641af

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/400-95-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/400-127-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/400-148-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/648-27-0x0000000004DC0000-0x00000000056AB000-memory.dmp

Filesize
8.9MB

Download
memory/648-23-0x00000000049C0000-0x0000000004DBE000-memory.dmp

Filesize
4.0MB

Download
memory/648-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/648-2-0x0000000004DC0000-0x00000000056AB000-memory.dmp

Filesize
8.9MB

Download
memory/648-4-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/648-26-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/648-28-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/648-38-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/648-69-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/648-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/648-1-0x00000000049C0000-0x0000000004DBE000-memory.dmp

Filesize
4.0MB

Download
memory/648-55-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/1412-33-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-12-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/1412-37-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/1412-35-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-40-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-41-0x00000000074D0000-0x0000000007502000-memory.dmp

Filesize
200KB

Download
memory/1412-42-0x0000000070A00000-0x0000000070A4C000-memory.dmp

Filesize
304KB

Download
memory/1412-43-0x00000000711A0000-0x00000000714F4000-memory.dmp

Filesize
3.3MB

Download
memory/1412-53-0x00000000074B0000-0x00000000074CE000-memory.dmp

Filesize
120KB

Download
memory/1412-54-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/1412-34-0x00000000064F0000-0x0000000006566000-memory.dmp

Filesize
472KB

Download
memory/1412-56-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/1412-57-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/1412-58-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/1412-59-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-61-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/1412-62-0x0000000007720000-0x0000000007734000-memory.dmp

Filesize
80KB

Download
memory/1412-63-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/1412-64-0x00000000075F0000-0x00000000075F8000-memory.dmp

Filesize
32KB

Download
memory/1412-67-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-32-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-31-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1412-5-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/1412-6-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/1412-7-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-8-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/1412-9-0x0000000005000000-0x0000000005628000-memory.dmp

Filesize
6.2MB

Download
memory/1412-10-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/1412-29-0x0000000006350000-0x0000000006394000-memory.dmp

Filesize
272KB

Download
memory/1412-11-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/1412-25-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/1412-24-0x0000000005D90000-0x0000000005DAE000-memory.dmp

Filesize
120KB

Download
memory/1412-36-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/1412-18-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/1432-243-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1432-239-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1752-110-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/1752-111-0x0000000071290000-0x00000000715E4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-238-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/2204-216-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/2204-234-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/2204-244-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/2444-242-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2444-245-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4140-163-0x0000000070A60000-0x0000000070AAC000-memory.dmp

Filesize
304KB

Download
memory/4140-174-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/4140-175-0x0000000007990000-0x00000000079A1000-memory.dmp

Filesize
68KB

Download
memory/4140-176-0x0000000006210000-0x0000000006224000-memory.dmp

Filesize
80KB

Download
memory/4140-164-0x00000000711F0000-0x0000000071544000-memory.dmp

Filesize
3.3MB

Download
memory/4140-162-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/4140-160-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-210-0x0000000005D60000-0x00000000060B4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-217-0x0000000070980000-0x00000000709CC000-memory.dmp

Filesize
304KB

Download
memory/4268-218-0x0000000071110000-0x0000000071464000-memory.dmp

Filesize
3.3MB

Download
memory/4504-134-0x0000000071290000-0x00000000715E4000-memory.dmp

Filesize
3.3MB

Download
memory/4504-133-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/4820-81-0x0000000006C50000-0x0000000006C9C000-memory.dmp

Filesize
304KB

Download
memory/4820-72-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/4820-96-0x0000000007D60000-0x0000000007D74000-memory.dmp

Filesize
80KB

Download
memory/4820-94-0x0000000007CF0000-0x0000000007D01000-memory.dmp

Filesize
68KB

Download
memory/4820-82-0x0000000070B00000-0x0000000070B4C000-memory.dmp

Filesize
304KB

Download
memory/4820-93-0x00000000079E0000-0x0000000007A83000-memory.dmp

Filesize
652KB

Download
memory/4820-83-0x0000000071290000-0x00000000715E4000-memory.dmp

Filesize
3.3MB

Download
memory/4908-201-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/4908-189-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/4908-190-0x0000000070980000-0x00000000709CC000-memory.dmp

Filesize
304KB

Download
memory/4908-187-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/4908-191-0x0000000070B10000-0x0000000070E64000-memory.dmp

Filesize
3.3MB

Download
memory/4908-202-0x00000000074F0000-0x0000000007501000-memory.dmp

Filesize
68KB

Download
memory/4908-203-0x0000000005840000-0x0000000005854000-memory.dmp

Filesize
80KB

Download