sality | cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69

Analysis

max time kernel
20s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Size

543KB
MD5

57a9cfd170d1e96b318f75fe008f8be0
SHA1

eed39956b07e83fb0b09e8237c1e20eb294eea68
SHA256

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69
SHA512

206f17c239ccd9a45bf6c5fdf8b6aa31975c644a03b6b82c80fa380a4fcf23d9c31f89829c0e51d9251d61d6b0f25ac9722b21568b36cc6fde3064435ceab28e
SSDEEP

6144:SVfjmNFBqBcLb+Vb3aZfhQuSZa5z42qGjZ32D+a48g4vKGggHSawol8Utv55DHtI:s7+b8cveb3aVhQxsURGIgLZ/csbEM/h

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Logo1_.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

Executes dropped EXE 2 IoCs

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

pid process

2380 Logo1_.exe
4788 cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4788-21-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-23-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-24-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-25-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-46-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-43-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-48-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-50-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-51-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-52-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-53-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/4788-58-0x0000000002240000-0x00000000032CE000-memory.dmp	upx
behavioral2/memory/2380-78-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-75-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-77-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-86-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-84-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-85-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-83-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-81-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-82-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-89-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-88-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-90-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-91-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-92-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-94-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-95-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-96-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-99-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-106-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-109-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-111-0x0000000003450000-0x00000000044DE000-memory.dmp	upx
behavioral2/memory/2380-146-0x0000000003450000-0x00000000044DE000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Logo1_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Logo1_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Logo1_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Logo1_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Windows directory 5 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File created	C:\Windows\Logo1_.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\SYSTEM.INI	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Logo1_.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

pid	process
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe
2380	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	pid	process
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Token: SeDebugPrivilege	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exenet.execmd.execfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe

description	pid	process	target process
PID 3380 wrote to memory of 4112	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 3380 wrote to memory of 4112	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 3380 wrote to memory of 4112	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 3380 wrote to memory of 2380	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 3380 wrote to memory of 2380	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 3380 wrote to memory of 2380	3380	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 2380 wrote to memory of 4268	2380	Logo1_.exe	net.exe
PID 2380 wrote to memory of 4268	2380	Logo1_.exe	net.exe
PID 2380 wrote to memory of 4268	2380	Logo1_.exe	net.exe
PID 4268 wrote to memory of 4864	4268	net.exe	net1.exe
PID 4268 wrote to memory of 4864	4268	net.exe	net1.exe
PID 4268 wrote to memory of 4864	4268	net.exe	net1.exe
PID 4112 wrote to memory of 4788	4112	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 4112 wrote to memory of 4788	4112	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 4112 wrote to memory of 4788	4112	cmd.exe	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
PID 4788 wrote to memory of 796	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	fontdrvhost.exe
PID 4788 wrote to memory of 804	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	fontdrvhost.exe
PID 4788 wrote to memory of 316	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	dwm.exe
PID 4788 wrote to memory of 2636	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	sihost.exe
PID 4788 wrote to memory of 3120	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	svchost.exe
PID 4788 wrote to memory of 3200	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	taskhostw.exe
PID 4788 wrote to memory of 3500	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Explorer.EXE
PID 4788 wrote to memory of 3628	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	svchost.exe
PID 4788 wrote to memory of 3824	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	DllHost.exe
PID 4788 wrote to memory of 3948	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	StartMenuExperienceHost.exe
PID 4788 wrote to memory of 4012	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	RuntimeBroker.exe
PID 4788 wrote to memory of 4092	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	SearchApp.exe
PID 4788 wrote to memory of 4140	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	RuntimeBroker.exe
PID 4788 wrote to memory of 4288	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	RuntimeBroker.exe
PID 4788 wrote to memory of 4544	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	TextInputHost.exe
PID 4788 wrote to memory of 4112	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 4788 wrote to memory of 4112	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	cmd.exe
PID 4788 wrote to memory of 2380	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 4788 wrote to memory of 2380	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Logo1_.exe
PID 4788 wrote to memory of 4004	4788	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe	Conhost.exe
PID 2380 wrote to memory of 3500	2380	Logo1_.exe	Explorer.EXE
PID 2380 wrote to memory of 3500	2380	Logo1_.exe	Explorer.EXE
PID 2380 wrote to memory of 796	2380	Logo1_.exe	fontdrvhost.exe
PID 2380 wrote to memory of 804	2380	Logo1_.exe	fontdrvhost.exe
PID 2380 wrote to memory of 316	2380	Logo1_.exe	dwm.exe
PID 2380 wrote to memory of 2636	2380	Logo1_.exe	sihost.exe
PID 2380 wrote to memory of 3120	2380	Logo1_.exe	svchost.exe
PID 2380 wrote to memory of 3200	2380	Logo1_.exe	taskhostw.exe
PID 2380 wrote to memory of 3500	2380	Logo1_.exe	Explorer.EXE
PID 2380 wrote to memory of 3628	2380	Logo1_.exe	svchost.exe
PID 2380 wrote to memory of 3824	2380	Logo1_.exe	DllHost.exe
PID 2380 wrote to memory of 3948	2380	Logo1_.exe	StartMenuExperienceHost.exe
PID 2380 wrote to memory of 4012	2380	Logo1_.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 4092	2380	Logo1_.exe	SearchApp.exe
PID 2380 wrote to memory of 4140	2380	Logo1_.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 4288	2380	Logo1_.exe	RuntimeBroker.exe
PID 2380 wrote to memory of 4544	2380	Logo1_.exe	TextInputHost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exeLogo1_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Logo1_.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3120

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
"C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44BA.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
"C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4788

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4288

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1300

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
533ce215a7c274602dc456ca375cef93

SHA1
76c502d7c45eca3fd96f6b04eb850e751bc785dd

SHA256
d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c

SHA512
09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
570KB

MD5
733d77a97118cb49b0ad86b6fd375b8f

SHA1
f89de423456eb2a3610bbb3b122d8942f8fdfcda

SHA256
aa1c028f63bbb538dd7a6f7ca26cb476cdcb7444b7370b421321dbe0129d3c61

SHA512
04676bbb7e2db296e2dad3f7f8872a963a2fcb63f1e5be956e0f533f1b5d4d9e9c3e2ca0ed61380d350e6eedf2aac25f0eff400f781344d1f72a41f4f15209be

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a44BA.bat
Filesize
722B

MD5
d181136218e9d940bc15883264f8593f

SHA1
32333a0996333f3229abfd5f696b6b8660937533

SHA256
26481182ee8db37fb86c6180fb1e341f1cc201e68247ce5b760231a937acfe82

SHA512
0d77b1a4c2409a3e9bf3017d40c17b75626d52bfdbf7ae5b476e14bb45ff7a19ad93a15deb3af714bffa6e39eccb55dbe73a8047d44b539f7d44c314845c436e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E5747A8_Rar\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe
Filesize
444KB

MD5
1108b166160d6023af76435b074052b6

SHA1
7538372af2b7dc03f908a94cba7d046d301c805e

SHA256
52b032521b4cd24a4268472bcff3be42fd8166a5cc5993b89f79575aa0279666

SHA512
f12dea253197375dbbe06d9c51d4016abdbe4f8f5cdd756880e53c211412ae19a2d23f2cc8cd0c39b6b2675cc4085d64070569c23e7c411b859dca073973797b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfbf1ad2434980fb289a153b334ad9f65cf19db903f77eda2563c6ca892a7c69.exe.exe
Filesize
516KB

MD5
8b1ebb25da592427b043652c2501021c

SHA1
20e55256c933abf2343ee54037e75dc3c5164304

SHA256
e4a3b471b7719161ed4c95fb8d9fc4fab7fba2d2fea4e3f579b1da981c091374

SHA512
2380c8af8e10d983506d3ec963d66a9349120164d8f9723fb3aeec7dbb6a5419e3c2870d7d8ebbe906f05d9a83aa987fe9e1045f4b5f9657c0d4dab7b127df6f

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
c5a8312f88f1dcec47a28264ae54f6f1

SHA1
64b1bde76a151fc4ebd09ed44a8e2e6aec6ec219

SHA256
dff8ca68a4330213bc89e130f3794f13c27adf85c297d98f184e563103a2800d

SHA512
110992a0170f7fa7f43a5f1af26cc2409a78df1f18904275c008c0546230a2ce11477aa14f864be20223144770808eed8f488fef1005b5045f1c764d1ac769a2

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
8168620fe50bf68499a9d52890368dd1

SHA1
90cab2b646fe9edd9bf482db9121075ce8eb511d

SHA256
dc58fc686828c90a43deefc1a35c6b00f1c308934fff7e323020dd3a1a1dd516

SHA512
2d81a23a64a6b42a89ae25fcee853879b88699dfbf7482fd881d0f2f57a7a50d639d571713b9c9f9507a838b517975b77c34f7e7f088fc527698cf2af1f64f31

Download Submit
C:\bmdid.exe
Filesize
100KB

MD5
8f02845b2df30b6cc964aca870ad4bb8

SHA1
d9025b5b3ca4b0c502b1d1d24d8bb57e9068f8ab

SHA256
31153d8d4d3b30ebbbe36c9cb23e986a7e957c3549b275ae45e9328b608ad331

SHA512
20ed701c9d4ed3d11d18bac02ce0cff9897cfa7b302025b91e67698c3feaeba3ca1838315aaae00efd4231c305a03654ac0e256be5c8eb06eab7533ce72c389c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/2380-95-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-85-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-42-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2380-111-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-38-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2380-94-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-109-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-106-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-83-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-99-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-98-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download
memory/2380-96-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-39-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2380-92-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-146-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-91-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-90-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-88-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-89-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-82-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-81-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-84-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-78-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-75-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-77-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/2380-86-0x0000000003450000-0x00000000044DE000-memory.dmp

Filesize
16.6MB

Download
memory/3380-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-36-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4112-72-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4112-35-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4112-47-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4112-49-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/4788-52-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-45-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/4788-51-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-50-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-48-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-58-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-64-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/4788-43-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-46-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-53-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4788-44-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download
memory/4788-25-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-41-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4788-24-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-23-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-21-0x0000000002240000-0x00000000032CE000-memory.dmp

Filesize
16.6MB

Download
memory/4788-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download