sality | 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Size

1.0MB
MD5

9a1c42042be407c78e3f1ff570a390a7
SHA1

0a44e081d37310cf72f0a86464107a7c402a1b1f
SHA256

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f
SHA512

78b4dbed8490404140dc1dc3e3ef4667e7c81b0dfcd2d82f5e8428788406a924e04ee015928430d7d5c075cae356266cf73628e51063285306bc350e72a58534
SSDEEP

24576:l7H7f78khm7l72B2J797fqZ7f9HCrO0fmbGD4uz/cFDy:l7H7f7857l72BQ797y71HCrc/uzEo

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

pid process

2116 Logo1_.exe
3596 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
3024 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3596-21-0x0000000000760000-0x00000000017EE000-memory.dmp	upx
behavioral2/memory/3596-23-0x0000000000760000-0x00000000017EE000-memory.dmp	upx
behavioral2/memory/3596-29-0x0000000000760000-0x00000000017EE000-memory.dmp	upx
behavioral2/memory/3596-30-0x0000000000760000-0x00000000017EE000-memory.dmp	upx
behavioral2/memory/3596-32-0x0000000000760000-0x00000000017EE000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\Shaders\LoadedModelShaders\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini	Logo1_.exe

Drops file in Windows directory 7 IoCs

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exeLogo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File created	C:\Windows\Logo1_.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File created	C:\Windows\Logo1_.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File opened for modification	C:\Windows\SYSTEM.INI	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Logo1_.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

pid	process
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe
2116	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	pid	process
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
Token: SeDebugPrivilege	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exeLogo1_.exenet.execmd.exe179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 2404	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 4592 wrote to memory of 2404	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 4592 wrote to memory of 2404	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 4592 wrote to memory of 2116	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 4592 wrote to memory of 2116	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 4592 wrote to memory of 2116	4592	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	Logo1_.exe
PID 2116 wrote to memory of 2100	2116	Logo1_.exe	net.exe
PID 2116 wrote to memory of 2100	2116	Logo1_.exe	net.exe
PID 2116 wrote to memory of 2100	2116	Logo1_.exe	net.exe
PID 2100 wrote to memory of 2844	2100	net.exe	net1.exe
PID 2100 wrote to memory of 2844	2100	net.exe	net1.exe
PID 2100 wrote to memory of 2844	2100	net.exe	net1.exe
PID 2404 wrote to memory of 3596	2404	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2404 wrote to memory of 3596	2404	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2404 wrote to memory of 3596	2404	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 3596 wrote to memory of 776	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	fontdrvhost.exe
PID 3596 wrote to memory of 784	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	fontdrvhost.exe
PID 3596 wrote to memory of 316	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	dwm.exe
PID 3596 wrote to memory of 2788	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	sihost.exe
PID 3596 wrote to memory of 2808	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	svchost.exe
PID 3596 wrote to memory of 1260	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 3596 wrote to memory of 1260	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 3596 wrote to memory of 1260	3596	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe	cmd.exe
PID 1260 wrote to memory of 3024	1260	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 1260 wrote to memory of 3024	1260	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 1260 wrote to memory of 3024	1260	cmd.exe	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
PID 2116 wrote to memory of 3420	2116	Logo1_.exe	Explorer.EXE
PID 2116 wrote to memory of 3420	2116	Logo1_.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2808

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4304.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a44BA.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe
"C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe"
6⤵
- Executes dropped EXE
PID:3024

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
0b02dfc1b962c1df256edd0052bc5139

SHA1
d54d2df2f257aa6d97ad85eec6d7d4220e106fa3

SHA256
af941ea3805324883d0945a55f06f88a84848281b7e2a032618bd85be6983adb

SHA512
c420baa3414fce1f4604b636d05bf803d816529cfd78d00f48a7ed875822fc36157bf5bbccef6fd93bab3e98491c7985f3cfdf61985f9e4e407310aa7757e289

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
570KB

MD5
7302c943350f08b7983b56011dfebfff

SHA1
3fedfd2ebaf04b09635a218f230726e64d258a91

SHA256
a2e2b505debc071b445ca0cefe611a367a398cdb016f835eceacbd3b01a405e7

SHA512
a57c8ca91e529bec9d502ef3b204deb6d09f5ecb46ef135d130259d1936618180fe13db55bd5f7bebbec1d477ea9bb9f98455b59f09b4d45c00ecd3a3df70803

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4304.bat
Filesize
722B

MD5
254934e1bed74bb5da44b18bcf7f999e

SHA1
41daca51746bff972e34860693811a27b73809eb

SHA256
a1a9d4127698e34c09ee0fb5edf3147debfcd65878656823d5ff0d58255cd062

SHA512
7b56f2eaf8bce03feae8b79081fa0ac7acc125eab5ed6719f9958c4f029c6c8f9a4e3f95d149bbaed080e05fe5c21b72388d9d61a07ff11f802df23d5a6a6b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a44BA.bat
Filesize
722B

MD5
99eaae8a5b104ff7f04f0bdcf752788a

SHA1
831fd12201322e3e5bf668b0b88e0ab08b99b738

SHA256
79f033cad4857faca9830defd3201336a328b5a0ab9bd8d60b317f7356300768

SHA512
75890fbc2f618c24a1705fc4eb7b953e5ee5546b4c9ac14062a795dc381cd5259ed3d69a6453068c9504607d8b4537c250c6de6f56999678d8a9e397fea35adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exe
Filesize
1008KB

MD5
47239e98f567a255ad59a52ece290642

SHA1
0aae5976179fce9f3a436e7add255aeaeb5df1bc

SHA256
e78d3ba5ce7661ec118c426e03a5c4447f36779bfa63cad80499bd0b4f2cf0dd

SHA512
48598e106df1b69a6e7dd282a37640ea1496ae67d7ddd3f89bcab07ec81ddda0cc6f95bc681fdcb502fe7c2e83c86e59f8b5f83bb008cd3fb91d62a0899dea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\179550d8db74726e449f6d3ffc9734b43c88d21d20bb03e554b3009c25b74c5f.exe.exe
Filesize
981KB

MD5
6f8aac91731edf732fe02b457eded4da

SHA1
6b1ad7be49671e42c5cb2c2f477260755f3a12e3

SHA256
69ce9375840715b47d1cfdfa281ce51c5fe5890f980a76ff2d5c1926596486e2

SHA512
da6dc0e7fab669f7f77b8f5542c6ca25a736bcc1f028136cf1a739c40a744be4b3a746ce623fb27cc7dd13d7220923033597c1687796a4e68d061ca00a939509

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
cbf2e5f5ea26c76bc9bfaa9f3f3b645c

SHA1
7a9a99cb59c1f79b2eb5f7c6094dc8e05c7a6ca1

SHA256
9d8e85c12fc228fc9dff2547d4a61d07ef9ecc13a6d941d9f0bbd275be2df458

SHA512
92f3da9c690400d880355e186a8595c68a7b541fdd37e4f5683741452827e177fefbc501492d29edf9c82ef6de1ebb6673da962722d56040100a08a56a8a4f63

Download Submit
C:\Windows\rundl132.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini
Filesize
9B

MD5
2822854d33e24347f613c750df46b810

SHA1
c2ea2529c032aa552d5a8301900cf27fc0f6045c

SHA256
73f2f888bdeaf9427c7aa3355fbe711e6570fb5e9e48c3f64cd229198ce85ad2

SHA512
21fff5d14e03a0420d9242a095c2e93ac2b7e6b9e49d12da907394ac9725bb746896721ceded88411895e9630a8ffbface168f0c02630b33300647d3d9e3326c

Download Submit
memory/2116-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-793-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-5258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-4819-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-1310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-1254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3596-21-0x0000000000760000-0x00000000017EE000-memory.dmp

Filesize
16.6MB

Download
memory/3596-19-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3596-30-0x0000000000760000-0x00000000017EE000-memory.dmp

Filesize
16.6MB

Download
memory/3596-23-0x0000000000760000-0x00000000017EE000-memory.dmp

Filesize
16.6MB

Download
memory/3596-29-0x0000000000760000-0x00000000017EE000-memory.dmp

Filesize
16.6MB

Download
memory/3596-36-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3596-32-0x0000000000760000-0x00000000017EE000-memory.dmp

Filesize
16.6MB

Download
memory/4592-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download