sality | 622174e43b5b44b25e70f942f089400e1baa481f95c3fff2a558a6fbdd71bbd4

Analysis

max time kernel
27s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

622174e43b5b44b25e70f942f089400e1baa481f95c3fff2a558a6fbdd71bbd4.dll
Size

120KB
MD5

5e20d7295c7e6c8d1c66a3f8b079ee8f
SHA1

1dbb205207051bd0358d9c6d8eee3a2ad023ca06
SHA256

622174e43b5b44b25e70f942f089400e1baa481f95c3fff2a558a6fbdd71bbd4
SHA512

89521e95e4d530e54eb0d9809bfa43d68a2be32dd2aad0f8703fa6654a1ecd86f8f36fcf73a52030057d3d25b985c2969ee9e0444f9da27c1d57c2cef9277c91
SSDEEP

1536:rdPvGlOURBS/MwRsE9aShCFyFeaoZjJswb+DSxEj9xbviBwWfuXCWl:rkvSHtwFGeZHb+n/ub2XC

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e57ed5d.exee580932.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e580932.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57ed5d.exee580932.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e580932.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e580932.exee57ed5d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57ed5d.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4416-6-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-8-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-12-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-25-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-32-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-34-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-33-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-35-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-10-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-9-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-11-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-36-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-37-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-38-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-39-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-40-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-42-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-43-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-52-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-54-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-55-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-65-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-67-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-70-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-73-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-75-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-74-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-83-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-84-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-85-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-87-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4416-89-0x00000000008C0000-0x000000000197A000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/2740-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4416-6-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-8-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-12-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-25-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-32-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-34-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-33-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-35-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-10-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-9-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-11-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-36-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-37-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-38-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-39-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-40-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-42-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-43-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-52-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-54-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-55-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-65-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-67-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-70-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-73-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-75-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-74-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-83-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-84-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-85-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/4416-87-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/2784-111-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4416-107-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4416-89-0x00000000008C0000-0x000000000197A000-memory.dmp	UPX
behavioral2/memory/2740-129-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/2740-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

e57ed5d.exee57eee4.exee580932.exe

pid process

4416 e57ed5d.exe
2784 e57eee4.exe
2740 e580932.exe

pid	process
4416	e57ed5d.exe
2784	e57eee4.exe
2740	e580932.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4416-6-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-8-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-12-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-25-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-32-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-34-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-33-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-35-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-10-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-9-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-11-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-36-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-37-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-38-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-39-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-40-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-42-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-43-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-52-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-54-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-55-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-65-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-67-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-70-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-73-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-75-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-74-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-83-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-84-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-85-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-87-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/4416-89-0x00000000008C0000-0x000000000197A000-memory.dmp	upx
behavioral2/memory/2740-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e57ed5d.exee580932.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e580932.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57ed5d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e580932.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e580932.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e57ed5d.exee580932.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e580932.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e57ed5d.exe

description	ioc	process
File opened (read-only)	\??\N:	e57ed5d.exe
File opened (read-only)	\??\P:	e57ed5d.exe
File opened (read-only)	\??\G:	e57ed5d.exe
File opened (read-only)	\??\L:	e57ed5d.exe
File opened (read-only)	\??\M:	e57ed5d.exe
File opened (read-only)	\??\E:	e57ed5d.exe
File opened (read-only)	\??\H:	e57ed5d.exe
File opened (read-only)	\??\I:	e57ed5d.exe
File opened (read-only)	\??\K:	e57ed5d.exe
File opened (read-only)	\??\O:	e57ed5d.exe
File opened (read-only)	\??\Q:	e57ed5d.exe
File opened (read-only)	\??\J:	e57ed5d.exe
File opened (read-only)	\??\R:	e57ed5d.exe
File opened (read-only)	\??\S:	e57ed5d.exe

Drops file in Program Files directory 4 IoCs

Processes:

e57ed5d.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e57ed5d.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e57ed5d.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e57ed5d.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e57ed5d.exe

Drops file in Windows directory 3 IoCs

Processes:

e57ed5d.exee580932.exe

description ioc process

File created C:\Windows\e57edbb e57ed5d.exe
File opened for modification C:\Windows\SYSTEM.INI e57ed5d.exe
File created C:\Windows\e5857a1 e580932.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e57ed5d.exe

pid process

4416 e57ed5d.exe
4416 e57ed5d.exe
4416 e57ed5d.exe
4416 e57ed5d.exe

description	ioc	process
File created	C:\Windows\e57edbb	e57ed5d.exe
File opened for modification	C:\Windows\SYSTEM.INI	e57ed5d.exe
File created	C:\Windows\e5857a1	e580932.exe

pid	process
4416	e57ed5d.exe
4416	e57ed5d.exe
4416	e57ed5d.exe
4416	e57ed5d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e57ed5d.exe

description	pid	process
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe
Token: SeDebugPrivilege	4416	e57ed5d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee57ed5d.exe

description	pid	process	target process
PID 1228 wrote to memory of 4424	1228	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 4424	1228	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 4424	1228	rundll32.exe	rundll32.exe
PID 4424 wrote to memory of 4416	4424	rundll32.exe	e57ed5d.exe
PID 4424 wrote to memory of 4416	4424	rundll32.exe	e57ed5d.exe
PID 4424 wrote to memory of 4416	4424	rundll32.exe	e57ed5d.exe
PID 4416 wrote to memory of 772	4416	e57ed5d.exe	fontdrvhost.exe
PID 4416 wrote to memory of 768	4416	e57ed5d.exe	fontdrvhost.exe
PID 4416 wrote to memory of 60	4416	e57ed5d.exe	dwm.exe
PID 4416 wrote to memory of 2528	4416	e57ed5d.exe	sihost.exe
PID 4416 wrote to memory of 2652	4416	e57ed5d.exe	svchost.exe
PID 4416 wrote to memory of 2772	4416	e57ed5d.exe	taskhostw.exe
PID 4416 wrote to memory of 3444	4416	e57ed5d.exe	Explorer.EXE
PID 4416 wrote to memory of 3604	4416	e57ed5d.exe	svchost.exe
PID 4416 wrote to memory of 3820	4416	e57ed5d.exe	DllHost.exe
PID 4416 wrote to memory of 3912	4416	e57ed5d.exe	StartMenuExperienceHost.exe
PID 4416 wrote to memory of 3976	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 740	4416	e57ed5d.exe	SearchApp.exe
PID 4416 wrote to memory of 4048	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 3960	4416	e57ed5d.exe	TextInputHost.exe
PID 4416 wrote to memory of 4140	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1748	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 3548	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1412	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1312	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 5068	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 4812	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 4116	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 1228	4416	e57ed5d.exe	rundll32.exe
PID 4416 wrote to memory of 4424	4416	e57ed5d.exe	rundll32.exe
PID 4416 wrote to memory of 4424	4416	e57ed5d.exe	rundll32.exe
PID 4424 wrote to memory of 2784	4424	rundll32.exe	e57eee4.exe
PID 4424 wrote to memory of 2784	4424	rundll32.exe	e57eee4.exe
PID 4424 wrote to memory of 2784	4424	rundll32.exe	e57eee4.exe
PID 4424 wrote to memory of 2740	4424	rundll32.exe	e580932.exe
PID 4424 wrote to memory of 2740	4424	rundll32.exe	e580932.exe
PID 4424 wrote to memory of 2740	4424	rundll32.exe	e580932.exe
PID 4416 wrote to memory of 772	4416	e57ed5d.exe	fontdrvhost.exe
PID 4416 wrote to memory of 768	4416	e57ed5d.exe	fontdrvhost.exe
PID 4416 wrote to memory of 60	4416	e57ed5d.exe	dwm.exe
PID 4416 wrote to memory of 2528	4416	e57ed5d.exe	sihost.exe
PID 4416 wrote to memory of 2652	4416	e57ed5d.exe	svchost.exe
PID 4416 wrote to memory of 2772	4416	e57ed5d.exe	taskhostw.exe
PID 4416 wrote to memory of 3444	4416	e57ed5d.exe	Explorer.EXE
PID 4416 wrote to memory of 3604	4416	e57ed5d.exe	svchost.exe
PID 4416 wrote to memory of 3820	4416	e57ed5d.exe	DllHost.exe
PID 4416 wrote to memory of 3912	4416	e57ed5d.exe	StartMenuExperienceHost.exe
PID 4416 wrote to memory of 3976	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 740	4416	e57ed5d.exe	SearchApp.exe
PID 4416 wrote to memory of 4048	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 3960	4416	e57ed5d.exe	TextInputHost.exe
PID 4416 wrote to memory of 4140	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1748	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 3548	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1412	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 1312	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 5068	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 4812	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 4116	4416	e57ed5d.exe	RuntimeBroker.exe
PID 4416 wrote to memory of 2784	4416	e57ed5d.exe	e57eee4.exe
PID 4416 wrote to memory of 2784	4416	e57ed5d.exe	e57eee4.exe
PID 4416 wrote to memory of 4980	4416	e57ed5d.exe	msedge.exe
PID 4416 wrote to memory of 2740	4416	e57ed5d.exe	e580932.exe
PID 4416 wrote to memory of 2740	4416	e57ed5d.exe	e580932.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e57ed5d.exee580932.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57ed5d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e580932.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2652

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\622174e43b5b44b25e70f942f089400e1baa481f95c3fff2a558a6fbdd71bbd4.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\622174e43b5b44b25e70f942f089400e1baa481f95c3fff2a558a6fbdd71bbd4.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\e57ed5d.exe
C:\Users\Admin\AppData\Local\Temp\e57ed5d.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4416

C:\Users\Admin\AppData\Local\Temp\e57eee4.exe
C:\Users\Admin\AppData\Local\Temp\e57eee4.exe
4⤵
- Executes dropped EXE
PID:2784

C:\Users\Admin\AppData\Local\Temp\e580932.exe
C:\Users\Admin\AppData\Local\Temp\e580932.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3912

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbf00fceb8,0x7ffbf00fcec4,0x7ffbf00fced0
2⤵
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2288,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:2
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:3
2⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1384,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:8
2⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4140,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
2⤵
PID:4980

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e57ed5d.exe
Filesize
97KB

MD5
9ee8c272f87e7fa290dddda1d74386ed

SHA1
06cf847d630e8d57bda3830d90167b6163f2f67e

SHA256
c7abecd44c82b9587ac8fc9ce5747785469bf1b364520e99880f048f17976b5d

SHA512
0cf7ef6c9f8f6f1b70ae52aca881b2ecfa837418c9f09dfae44c082d2b5da1a0a0994e7506598d5c54c3d1ba7f291e6f7c3f411c22e4ded5c4432982c9b723a1

Download Submit
C:\Windows\SYSTEM.INI
Filesize
256B

MD5
7b9212fe43910f9ad0e8632e24136636

SHA1
2d393b59c6fe2077fb36da0fa53c137d29f78d22

SHA256
73d6a433d79794883473167104c2e2f1f77c14746d64ae137c4f925f91112d23

SHA512
3b85c5e1a751180dcfe35a785367f221de69b3ada88b901208c62887225c305888f10cb66539eadfe397aa42d0aa408189f3877e77ba49b43c51ebfce969f6e3

Download Submit
memory/2740-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2740-129-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-62-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2740-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/2740-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2740-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-111-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2784-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2784-63-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2784-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4416-42-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-34-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-10-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-16-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/4416-26-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4416-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4416-6-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-9-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-11-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-36-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-37-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-38-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-39-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-40-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-30-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4416-43-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-35-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-52-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-54-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-55-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-33-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-98-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4416-32-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-25-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-12-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-89-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-65-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-67-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-70-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-73-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-75-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-74-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-83-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-84-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-85-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-87-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-8-0x00000000008C0000-0x000000000197A000-memory.dmp

Filesize
16.7MB

Download
memory/4416-107-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4424-17-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/4424-29-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/4424-14-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/4424-13-0x0000000001040000-0x0000000001042000-memory.dmp

Filesize
8KB

Download
memory/4424-3-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download