glupteba | 017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f

Analysis

max time kernel
149s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Size

4.1MB
MD5

69fe44102f5667f05e19def5a5e21baa
SHA1

77534ede9077782076529fd10663b9475b006a65
SHA256

017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f
SHA512

aa3603673afb37c7bf9f5f93ceec24f3d240ceab8d632ce173b4674321f3ff422138216f12cc60d98b83ecaded649b6d5e129b74874765178af50102f25f7785
SSDEEP

98304:yZ3eWnmCP3Day+MGMrrH7Rp/OOmeNALbhxcJ3GFuqO9B+e2R0FJR:YufQJ+wrvRp/OL3LVxY3GFuq2BkwJR

Score

10^/10

glupteba discovery dropper evasion execution loader persistence

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral2/memory/1696-2-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/1696-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1696-44-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1696-45-0x0000000004CA0000-0x000000000558B000-memory.dmp	family_glupteba
behavioral2/memory/1696-43-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/1732-121-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-193-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-196-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-202-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-208-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-214-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-223-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-232-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-241-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-250-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-259-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-268-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-277-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba
behavioral2/memory/4780-286-0x0000000000400000-0x0000000002B0D000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1960	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
File created	C:\Windows\rss\csrss.exe	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
4964	powershell.exe
4336	powershell.exe
3564	powershell.exe
2584	powershell.exe
564	powershell.exe
3692	powershell.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4508	2500	WerFault.exe	81
2388	1696	WerFault.exe	78
1708	1732	WerFault.exe	89

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
568	schtasks.exe
4828	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	powershell.exe
2500	powershell.exe
1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
4964	powershell.exe
4964	powershell.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
4336	powershell.exe
4336	powershell.exe
3564	powershell.exe
3564	powershell.exe
2584	powershell.exe
2584	powershell.exe
564	powershell.exe
564	powershell.exe
3692	powershell.exe
3692	powershell.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe
1692	injector.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Token: SeImpersonatePrivilege	1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2500	1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	81
PID 1696 wrote to memory of 2500	1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	81
PID 1696 wrote to memory of 2500	1696	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	81
PID 1732 wrote to memory of 4964	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	92
PID 1732 wrote to memory of 4964	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	92
PID 1732 wrote to memory of 4964	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	92
PID 1732 wrote to memory of 3436	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	94
PID 1732 wrote to memory of 3436	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	94
PID 3436 wrote to memory of 1960	3436	cmd.exe	96
PID 3436 wrote to memory of 1960	3436	cmd.exe	96
PID 1732 wrote to memory of 4336	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	97
PID 1732 wrote to memory of 4336	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	97
PID 1732 wrote to memory of 4336	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	97
PID 1732 wrote to memory of 3564	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	99
PID 1732 wrote to memory of 3564	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	99
PID 1732 wrote to memory of 3564	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	99
PID 1732 wrote to memory of 4780	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	101
PID 1732 wrote to memory of 4780	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	101
PID 1732 wrote to memory of 4780	1732	017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
"C:\Users\Admin\AppData\Local\Temp\017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 2500
    3⤵
    - Program crash
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe
  "C:\Users\Admin\AppData\Local\Temp\017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f.exe"
  2⤵
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:568
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1692
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 900
    3⤵
    - Program crash
    PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 928
  2⤵
  - Program crash
  PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2500 -ip 2500
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1696 -ip 1696
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1732 -ip 1732
1⤵
PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja122vp4.iq1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
5d61a5078fea6c453118d0dacba45347

SHA1
69e320ab23da578ab99bb870d6b5ab5b3de1b647

SHA256
a3ae407cde8d983aff743632521be7c214cd29bbef8921b634792673894e57c9

SHA512
2cc02e30d15392fd510db98183494da3e45c84c0f998f04b7b3dc2b16a163963de0c932fbf3c20535c0a372c78d4347cea27f8cc0af2797200313a6763e62cc3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2bfa5ee7e3e32393f4ff5e11acb4ef21

SHA1
cfa9cffb28245e0e565da3a9f94ea86e1952c2ef

SHA256
1f288c36b9ed59edc4e6826c2494ef1aafd19935d11e8b7ca52a0e63d7b59398

SHA512
41a8d65281c1e3c7874040644131a24600279fb5f44817a62d9b2a97b78a4f2788b4baa9b51c83091c52ae7b0bd76e82b94f003f1fede44884fb5e8f36058365

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
35843cc1acc2a465b3c1ffb927af1e3a

SHA1
dfc07d1b5f186372946e4248eaa4dfd81bc78fcf

SHA256
75b7c0a9063ab4dd2f95d5ff056a4e1914c838bf879af8a70887e85a2365bd5b

SHA512
74a6addefa294fcadbd7d0ac1a8b70c7b8fbb72bef68e9abb7e88b8932534623d4b5cd2e279ba079bed9100422ed023ad5d5f196bb9a1673837a29bb7871c862

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
66dc4c0701cfdf538869ead8899dc468

SHA1
03d602b8d29c4638550e002e48eb893e04a59cf4

SHA256
77da32d5c7abdca05f3911b58f9362a12c4535df933ab066647e5841290817d4

SHA512
0849b3a9613569ddf9256d1d0d471e77f36fc1c4a181fee1645140e0f44c207201ecf3033b3b9a1a9f143a0fa18f3da4db0304a7d9def3ec4b025722c9a40dfb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9ac630fac9701b95dfcf8cca093b17a2

SHA1
dbb2cb86024fb546af35db1eb4e6bbf082fe5cf1

SHA256
1d94a5fc5dba9102c134e2a4b1a24c1452db8956ab63453ea051eb21415eb472

SHA512
390cbbd2e7e81b908ae7a826cadef91ed7ceada7d48f6af28eae8196de31c5b00aac541deb26c3a626a62758bcaf8f2dd5e099f5a125b8dc66b264a5a0f2ee65

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
69fe44102f5667f05e19def5a5e21baa

SHA1
77534ede9077782076529fd10663b9475b006a65

SHA256
017659c15b3364b7b452f49175a2f5161a60c9f12ad03a3782d67094cab9c61f

SHA512
aa3603673afb37c7bf9f5f93ceec24f3d240ceab8d632ce173b4674321f3ff422138216f12cc60d98b83ecaded649b6d5e129b74874765178af50102f25f7785

Download Submit
memory/564-170-0x0000000005FD0000-0x0000000005FE5000-memory.dmp

Filesize
84KB

Download
memory/564-157-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/564-159-0x00000000708C0000-0x0000000070C17000-memory.dmp

Filesize
3.3MB

Download
memory/564-168-0x0000000007430000-0x00000000074D4000-memory.dmp

Filesize
656KB

Download
memory/564-155-0x0000000005BC0000-0x0000000005F17000-memory.dmp

Filesize
3.3MB

Download
memory/564-169-0x0000000007600000-0x0000000007611000-memory.dmp

Filesize
68KB

Download
memory/564-158-0x0000000070690000-0x00000000706DC000-memory.dmp

Filesize
304KB

Download
memory/1696-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1696-1-0x00000000048A0000-0x0000000004C9F000-memory.dmp

Filesize
4.0MB

Download
memory/1696-2-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/1696-43-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/1696-45-0x0000000004CA0000-0x000000000558B000-memory.dmp

Filesize
8.9MB

Download
memory/1696-44-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1732-121-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/2500-39-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/2500-22-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/2500-40-0x00000000070C0000-0x00000000070CA000-memory.dmp

Filesize
40KB

Download
memory/2500-41-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/2500-37-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/2500-26-0x00000000708F0000-0x0000000070C47000-memory.dmp

Filesize
3.3MB

Download
memory/2500-36-0x0000000006F60000-0x0000000007004000-memory.dmp

Filesize
656KB

Download
memory/2500-38-0x00000000076D0000-0x0000000007D4A000-memory.dmp

Filesize
6.5MB

Download
memory/2500-20-0x0000000005630000-0x0000000005987000-memory.dmp

Filesize
3.3MB

Download
memory/2500-21-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/2500-4-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2500-9-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2500-5-0x0000000004610000-0x0000000004646000-memory.dmp

Filesize
216KB

Download
memory/2500-6-0x0000000004E20000-0x000000000544A000-memory.dmp

Filesize
6.2MB

Download
memory/2500-7-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/2500-8-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/2500-10-0x0000000074490000-0x0000000074C41000-memory.dmp

Filesize
7.7MB

Download
memory/2500-11-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/2500-35-0x0000000006F40000-0x0000000006F5E000-memory.dmp

Filesize
120KB

Download
memory/2500-23-0x0000000006080000-0x00000000060C6000-memory.dmp

Filesize
280KB

Download
memory/2500-25-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/2500-24-0x0000000006F00000-0x0000000006F34000-memory.dmp

Filesize
208KB

Download
memory/2584-122-0x00000000063B0000-0x0000000006707000-memory.dmp

Filesize
3.3MB

Download
memory/2584-145-0x0000000006730000-0x0000000006745000-memory.dmp

Filesize
84KB

Download
memory/2584-144-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/2584-133-0x0000000070770000-0x00000000707BC000-memory.dmp

Filesize
304KB

Download
memory/2584-143-0x0000000007B70000-0x0000000007C14000-memory.dmp

Filesize
656KB

Download
memory/2584-134-0x00000000709B0000-0x0000000070D07000-memory.dmp

Filesize
3.3MB

Download
memory/2584-132-0x0000000006A50000-0x0000000006A9C000-memory.dmp

Filesize
304KB

Download
memory/3564-107-0x0000000070810000-0x000000007085C000-memory.dmp

Filesize
304KB

Download
memory/3564-108-0x0000000070A10000-0x0000000070D67000-memory.dmp

Filesize
3.3MB

Download
memory/3564-102-0x0000000005700000-0x0000000005A57000-memory.dmp

Filesize
3.3MB

Download
memory/3692-182-0x0000000070690000-0x00000000706DC000-memory.dmp

Filesize
304KB

Download
memory/3692-180-0x0000000005740000-0x0000000005A97000-memory.dmp

Filesize
3.3MB

Download
memory/3692-183-0x0000000070810000-0x0000000070B67000-memory.dmp

Filesize
3.3MB

Download
memory/4336-84-0x0000000006200000-0x0000000006557000-memory.dmp

Filesize
3.3MB

Download
memory/4336-87-0x0000000070990000-0x0000000070CE7000-memory.dmp

Filesize
3.3MB

Download
memory/4336-86-0x0000000070810000-0x000000007085C000-memory.dmp

Filesize
304KB

Download
memory/4780-194-0x0000000074E70000-0x0000000074EB1000-memory.dmp

Filesize
260KB

Download
memory/4780-232-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-286-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-277-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-268-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-259-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-250-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-241-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-223-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-214-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-221-0x0000000074C20000-0x0000000074C31000-memory.dmp

Filesize
68KB

Download
memory/4780-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-193-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-200-0x0000000074D30000-0x0000000074D41000-memory.dmp

Filesize
68KB

Download
memory/4780-201-0x0000000074CF0000-0x0000000074D31000-memory.dmp

Filesize
260KB

Download
memory/4780-197-0x0000000074E70000-0x0000000074EB1000-memory.dmp

Filesize
260KB

Download
memory/4780-196-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4780-202-0x0000000000400000-0x0000000002B0D000-memory.dmp

Filesize
39.1MB

Download
memory/4964-52-0x0000000005CD0000-0x0000000006027000-memory.dmp

Filesize
3.3MB

Download
memory/4964-55-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/4964-56-0x0000000070810000-0x000000007085C000-memory.dmp

Filesize
304KB

Download
memory/4964-57-0x0000000070A50000-0x0000000070DA7000-memory.dmp

Filesize
3.3MB

Download
memory/4964-72-0x0000000007760000-0x0000000007768000-memory.dmp

Filesize
32KB

Download
memory/4964-66-0x0000000007380000-0x0000000007424000-memory.dmp

Filesize
656KB

Download
memory/4964-67-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/4964-68-0x00000000076B0000-0x00000000076C1000-memory.dmp

Filesize
68KB

Download
memory/4964-69-0x00000000076F0000-0x00000000076FE000-memory.dmp

Filesize
56KB

Download
memory/4964-70-0x0000000007700000-0x0000000007715000-memory.dmp

Filesize
84KB

Download
memory/4964-71-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download