sality | fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d

Analysis

max time kernel
135s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll
Size

120KB
MD5

7f979404f5032afe210729b54dfac5ef
SHA1

76c90b74cdd29563ddbc26395bec29063df0681b
SHA256

fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d
SHA512

44a097a577a246c1fd9c49d13b9ef0ecf701e657daaa935236f6da9936ef8907d866ee1e873ee1a754f73b6c26173c9ba765f982ee100d3748078539648e9945
SSDEEP

3072:FGE3MnhUaUd/o+Thb7sKGHWwEaFyrpzF:ROhUi+Thb7sKGdVFcF

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 9 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5737d9.exee5756ab.exee5735d5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5756ab.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5737d9.exee5756ab.exee5735d5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5735d5.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5735d5.exee5737d9.exee5756ab.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5756ab.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 30 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/1176-35-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp	UPX
behavioral2/memory/2124-95-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp	UPX
behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp	UPX
behavioral2/memory/1176-130-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/5056-153-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e5735d5.exee5737d9.exee5756ab.exe

pid process

2124 e5735d5.exe
1176 e5737d9.exe
5056 e5756ab.exe

pid	process
2124	e5735d5.exe
1176	e5737d9.exe
5056	e5756ab.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp	upx
behavioral2/memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx
behavioral2/memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp	upx

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5737d9.exee5756ab.exee5735d5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5737d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5756ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5756ab.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5735d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5735d5.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5735d5.exee5737d9.exee5756ab.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5756ab.exe

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e5735d5.exe

description	ioc	process
File opened (read-only)	\??\E:	e5735d5.exe
File opened (read-only)	\??\I:	e5735d5.exe
File opened (read-only)	\??\O:	e5735d5.exe
File opened (read-only)	\??\G:	e5735d5.exe
File opened (read-only)	\??\H:	e5735d5.exe
File opened (read-only)	\??\J:	e5735d5.exe
File opened (read-only)	\??\K:	e5735d5.exe
File opened (read-only)	\??\L:	e5735d5.exe
File opened (read-only)	\??\M:	e5735d5.exe
File opened (read-only)	\??\N:	e5735d5.exe
File opened (read-only)	\??\P:	e5735d5.exe

Drops file in Program Files directory 3 IoCs

Processes:

e5735d5.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5735d5.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5735d5.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5735d5.exe

Drops file in Windows directory 4 IoCs

Processes:

e5735d5.exee5737d9.exee5756ab.exe

description	ioc	process
File created	C:\Windows\e573623	e5735d5.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5735d5.exe
File created	C:\Windows\e578666	e5737d9.exe
File created	C:\Windows\e57a50a	e5756ab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e5735d5.exee5737d9.exe

pid process

2124 e5735d5.exe
2124 e5735d5.exe
2124 e5735d5.exe
2124 e5735d5.exe
1176 e5737d9.exe
1176 e5737d9.exe

pid	process
2124	e5735d5.exe
2124	e5735d5.exe
2124	e5735d5.exe
2124	e5735d5.exe
1176	e5737d9.exe
1176	e5737d9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5735d5.exe

description	pid	process
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe
Token: SeDebugPrivilege	2124	e5735d5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee5735d5.exee5737d9.exe

description	pid	process	target process
PID 1168 wrote to memory of 4900	1168	rundll32.exe	rundll32.exe
PID 1168 wrote to memory of 4900	1168	rundll32.exe	rundll32.exe
PID 1168 wrote to memory of 4900	1168	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 2124	4900	rundll32.exe	e5735d5.exe
PID 4900 wrote to memory of 2124	4900	rundll32.exe	e5735d5.exe
PID 4900 wrote to memory of 2124	4900	rundll32.exe	e5735d5.exe
PID 2124 wrote to memory of 804	2124	e5735d5.exe	fontdrvhost.exe
PID 2124 wrote to memory of 812	2124	e5735d5.exe	fontdrvhost.exe
PID 2124 wrote to memory of 396	2124	e5735d5.exe	dwm.exe
PID 2124 wrote to memory of 2684	2124	e5735d5.exe	sihost.exe
PID 2124 wrote to memory of 2712	2124	e5735d5.exe	svchost.exe
PID 2124 wrote to memory of 2844	2124	e5735d5.exe	taskhostw.exe
PID 2124 wrote to memory of 3572	2124	e5735d5.exe	Explorer.EXE
PID 2124 wrote to memory of 3724	2124	e5735d5.exe	svchost.exe
PID 2124 wrote to memory of 3904	2124	e5735d5.exe	DllHost.exe
PID 2124 wrote to memory of 4004	2124	e5735d5.exe	StartMenuExperienceHost.exe
PID 2124 wrote to memory of 4068	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 676	2124	e5735d5.exe	SearchApp.exe
PID 2124 wrote to memory of 4232	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 1492	2124	e5735d5.exe	TextInputHost.exe
PID 2124 wrote to memory of 3788	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 2184	2124	e5735d5.exe	backgroundTaskHost.exe
PID 2124 wrote to memory of 368	2124	e5735d5.exe	backgroundTaskHost.exe
PID 2124 wrote to memory of 1168	2124	e5735d5.exe	rundll32.exe
PID 2124 wrote to memory of 4900	2124	e5735d5.exe	rundll32.exe
PID 2124 wrote to memory of 4900	2124	e5735d5.exe	rundll32.exe
PID 4900 wrote to memory of 1176	4900	rundll32.exe	e5737d9.exe
PID 4900 wrote to memory of 1176	4900	rundll32.exe	e5737d9.exe
PID 4900 wrote to memory of 1176	4900	rundll32.exe	e5737d9.exe
PID 4900 wrote to memory of 5056	4900	rundll32.exe	e5756ab.exe
PID 4900 wrote to memory of 5056	4900	rundll32.exe	e5756ab.exe
PID 4900 wrote to memory of 5056	4900	rundll32.exe	e5756ab.exe
PID 2124 wrote to memory of 804	2124	e5735d5.exe	fontdrvhost.exe
PID 2124 wrote to memory of 812	2124	e5735d5.exe	fontdrvhost.exe
PID 2124 wrote to memory of 396	2124	e5735d5.exe	dwm.exe
PID 2124 wrote to memory of 2684	2124	e5735d5.exe	sihost.exe
PID 2124 wrote to memory of 2712	2124	e5735d5.exe	svchost.exe
PID 2124 wrote to memory of 2844	2124	e5735d5.exe	taskhostw.exe
PID 2124 wrote to memory of 3572	2124	e5735d5.exe	Explorer.EXE
PID 2124 wrote to memory of 3724	2124	e5735d5.exe	svchost.exe
PID 2124 wrote to memory of 3904	2124	e5735d5.exe	DllHost.exe
PID 2124 wrote to memory of 4004	2124	e5735d5.exe	StartMenuExperienceHost.exe
PID 2124 wrote to memory of 4068	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 676	2124	e5735d5.exe	SearchApp.exe
PID 2124 wrote to memory of 4232	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 1492	2124	e5735d5.exe	TextInputHost.exe
PID 2124 wrote to memory of 3788	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 2184	2124	e5735d5.exe	backgroundTaskHost.exe
PID 2124 wrote to memory of 368	2124	e5735d5.exe	backgroundTaskHost.exe
PID 2124 wrote to memory of 1176	2124	e5735d5.exe	e5737d9.exe
PID 2124 wrote to memory of 1176	2124	e5735d5.exe	e5737d9.exe
PID 2124 wrote to memory of 3196	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 2200	2124	e5735d5.exe	RuntimeBroker.exe
PID 2124 wrote to memory of 5056	2124	e5735d5.exe	e5756ab.exe
PID 2124 wrote to memory of 5056	2124	e5735d5.exe	e5756ab.exe
PID 2124 wrote to memory of 2088	2124	e5735d5.exe	DllHost.exe
PID 1176 wrote to memory of 804	1176	e5737d9.exe	fontdrvhost.exe
PID 1176 wrote to memory of 812	1176	e5737d9.exe	fontdrvhost.exe
PID 1176 wrote to memory of 396	1176	e5737d9.exe	dwm.exe
PID 1176 wrote to memory of 2684	1176	e5737d9.exe	sihost.exe
PID 1176 wrote to memory of 2712	1176	e5737d9.exe	svchost.exe
PID 1176 wrote to memory of 2844	1176	e5737d9.exe	taskhostw.exe
PID 1176 wrote to memory of 3572	1176	e5737d9.exe	Explorer.EXE
PID 1176 wrote to memory of 3724	1176	e5737d9.exe	svchost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

e5735d5.exee5737d9.exee5756ab.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5735d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5737d9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5756ab.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2712

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3572

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fcbe39200a1d004e06f8e206497b5e223f1c2b52431429b8f90dcd5f67a4533d.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\e5735d5.exe
C:\Users\Admin\AppData\Local\Temp\e5735d5.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2124

C:\Users\Admin\AppData\Local\Temp\e5737d9.exe
C:\Users\Admin\AppData\Local\Temp\e5737d9.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1176

C:\Users\Admin\AppData\Local\Temp\e5756ab.exe
C:\Users\Admin\AppData\Local\Temp\e5756ab.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2184

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3196

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5735d5.exe
Filesize
97KB

MD5
28ddf2887997a8b2b4fb1712d2b7f01a

SHA1
95347684cbc4dbb1cf84413b43d94a72f8e66515

SHA256
40fc1393517538b3792263278ba3ac26a8d6a562fcb122693b33c2761e849fa3

SHA512
5e6ec1fbb34cb52f0e0d0c0f88f8ab896cd6655c4aed5c05ba4429801701b88c514c867305fe19ce03d0abbc3f43de89de43efe1d79884a335f4c7ff8e60894f

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
cc199e06829a2ffcc0cca4a9e2d148e0

SHA1
1a5e8ae037e7be1717171a13d1e6c3ccc85bb3da

SHA256
6777caef5e685001c484568d7ec77e60e0f9f95f59587eff3ab55097bc749b9f

SHA512
4a2d3da4d6d4b35a60dca472f3dcc2e3fa037f7aed07d41545ee6f7e098e9fe3df5fb862610ff6cc7e70b5d96d7e64f71236aafab4d9121c9e24f328080c2749

Download Submit
memory/1176-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1176-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1176-129-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/1176-112-0x0000000000B60000-0x0000000001C1A000-memory.dmp

Filesize
16.7MB

Download
memory/1176-57-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1176-55-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1176-52-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2124-40-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-70-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-28-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/2124-12-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-20-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-11-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-13-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-19-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-10-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-8-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-9-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-6-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-36-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-37-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-38-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-39-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-29-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/2124-50-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-95-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2124-34-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/2124-80-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-22-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-82-0x00000000019F0000-0x00000000019F2000-memory.dmp

Filesize
8KB

Download
memory/2124-21-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-59-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-61-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-62-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-64-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-66-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-68-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-74-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-72-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/2124-73-0x00000000007E0000-0x000000000189A000-memory.dmp

Filesize
16.7MB

Download
memory/4900-3-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4900-23-0x0000000003D00000-0x0000000003D02000-memory.dmp

Filesize
8KB

Download
memory/4900-26-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/4900-33-0x0000000003D00000-0x0000000003D02000-memory.dmp

Filesize
8KB

Download
memory/4900-24-0x0000000003D00000-0x0000000003D02000-memory.dmp

Filesize
8KB

Download
memory/5056-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/5056-56-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/5056-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5056-153-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download