sality | 1afee1e360b83dd26765376a455bba1391cca8302f05cb3dc13f25eff5f0b84b

Analysis

max time kernel
131s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1afee1e360b83dd26765376a455bba1391cca8302f05cb3dc13f25eff5f0b84b.dll
Size

120KB
MD5

923ff8bd292fe697210d8fa8f1915abd
SHA1

bdc783a237772c4ee84a8c4fea653385002ea5fe
SHA256

1afee1e360b83dd26765376a455bba1391cca8302f05cb3dc13f25eff5f0b84b
SHA512

ee22dfe438067135279aef0d5c8afb63b92cbbc19c89caafb503aea1ddae7f061923dd6e124a0c9b9e612e205621fac8e75afdae96e285dd20619a6266a00896
SSDEEP

1536:ibhn3zHjSdlEQcRcKe+1o/Tm8tNPW7nmoePfL63r88:sd3zDSDERclKwPonXT37

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 9 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e57589f.exee573a79.exee573cbb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e573a79.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573a79.exee573cbb.exee57589f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57589f.exe

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573cbb.exee57589f.exee573a79.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573a79.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1360-10-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-21-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-11-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-20-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-22-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-19-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-14-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-13-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-8-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-9-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-37-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-36-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-38-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-39-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-40-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-42-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-43-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-48-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-51-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-59-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-61-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-62-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-77-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-80-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-83-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-85-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-91-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-92-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-93-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-94-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1360-97-0x0000000000740000-0x00000000017FA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4592-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4592-143-0x0000000000B40000-0x0000000001BFA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1360-10-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-21-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-11-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-20-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-22-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-19-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-14-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-13-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-8-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-9-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-37-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-36-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-38-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-39-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-40-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-42-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-43-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-48-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-51-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-59-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-61-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-62-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-77-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-80-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-83-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-85-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-91-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-92-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-93-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-94-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-97-0x0000000000740000-0x00000000017FA000-memory.dmp	UPX
behavioral2/memory/1360-116-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4592-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp	UPX
behavioral2/memory/4592-144-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/4592-143-0x0000000000B40000-0x0000000001BFA000-memory.dmp	UPX
behavioral2/memory/4088-148-0x0000000000400000-0x0000000000412000-memory.dmp	UPX
behavioral2/memory/1376-176-0x0000000000400000-0x0000000000412000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

e573a79.exee573cbb.exee575719.exee57589f.exe

pid process

1360 e573a79.exe
4592 e573cbb.exe
4088 e575719.exe
1376 e57589f.exe

pid	process
1360	e573a79.exe
4592	e573cbb.exe
4088	e575719.exe
1376	e57589f.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1360-10-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-21-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-11-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-20-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-22-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-19-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-14-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-13-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-8-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-9-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-37-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-36-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-38-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-39-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-40-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-42-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-43-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-48-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-51-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-59-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-61-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-62-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-77-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-80-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-83-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-85-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-91-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-92-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-93-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-94-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/1360-97-0x0000000000740000-0x00000000017FA000-memory.dmp	upx
behavioral2/memory/4592-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx
behavioral2/memory/4592-143-0x0000000000B40000-0x0000000001BFA000-memory.dmp	upx

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e573a79.exee573cbb.exee57589f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e57589f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573cbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573a79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e573a79.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e57589f.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e573cbb.exee57589f.exee573a79.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573a79.exe

Enumerates connected drives 3 TTPs 14 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e573a79.exe

description	ioc	process
File opened (read-only)	\??\H:	e573a79.exe
File opened (read-only)	\??\R:	e573a79.exe
File opened (read-only)	\??\S:	e573a79.exe
File opened (read-only)	\??\J:	e573a79.exe
File opened (read-only)	\??\N:	e573a79.exe
File opened (read-only)	\??\O:	e573a79.exe
File opened (read-only)	\??\P:	e573a79.exe
File opened (read-only)	\??\K:	e573a79.exe
File opened (read-only)	\??\L:	e573a79.exe
File opened (read-only)	\??\M:	e573a79.exe
File opened (read-only)	\??\Q:	e573a79.exe
File opened (read-only)	\??\E:	e573a79.exe
File opened (read-only)	\??\G:	e573a79.exe
File opened (read-only)	\??\I:	e573a79.exe

Drops file in Program Files directory 4 IoCs

Processes:

e573a79.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e573a79.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e573a79.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e573a79.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	e573a79.exe

Drops file in Windows directory 4 IoCs

Processes:

e573a79.exee573cbb.exee57589f.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	e573a79.exe
File created	C:\Windows\e578b48	e573cbb.exe
File created	C:\Windows\e57a76b	e57589f.exe
File created	C:\Windows\e573ac7	e573a79.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

e573a79.exee573cbb.exee57589f.exe

pid process

1360 e573a79.exe
1360 e573a79.exe
1360 e573a79.exe
1360 e573a79.exe
4592 e573cbb.exe
4592 e573cbb.exe
1376 e57589f.exe
1376 e57589f.exe

pid	process
1360	e573a79.exe
1360	e573a79.exe
1360	e573a79.exe
1360	e573a79.exe
4592	e573cbb.exe
4592	e573cbb.exe
1376	e57589f.exe
1376	e57589f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e573a79.exe

description	pid	process
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe
Token: SeDebugPrivilege	1360	e573a79.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee573a79.exee573cbb.exe

description	pid	process	target process
PID 4004 wrote to memory of 4268	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 4268	4004	rundll32.exe	rundll32.exe
PID 4004 wrote to memory of 4268	4004	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 1360	4268	rundll32.exe	e573a79.exe
PID 4268 wrote to memory of 1360	4268	rundll32.exe	e573a79.exe
PID 4268 wrote to memory of 1360	4268	rundll32.exe	e573a79.exe
PID 1360 wrote to memory of 788	1360	e573a79.exe	fontdrvhost.exe
PID 1360 wrote to memory of 784	1360	e573a79.exe	fontdrvhost.exe
PID 1360 wrote to memory of 336	1360	e573a79.exe	dwm.exe
PID 1360 wrote to memory of 2436	1360	e573a79.exe	sihost.exe
PID 1360 wrote to memory of 2480	1360	e573a79.exe	svchost.exe
PID 1360 wrote to memory of 2728	1360	e573a79.exe	taskhostw.exe
PID 1360 wrote to memory of 3512	1360	e573a79.exe	Explorer.EXE
PID 1360 wrote to memory of 3644	1360	e573a79.exe	svchost.exe
PID 1360 wrote to memory of 3836	1360	e573a79.exe	DllHost.exe
PID 1360 wrote to memory of 3936	1360	e573a79.exe	StartMenuExperienceHost.exe
PID 1360 wrote to memory of 4020	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 408	1360	e573a79.exe	SearchApp.exe
PID 1360 wrote to memory of 3688	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 2056	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4668	1360	e573a79.exe	TextInputHost.exe
PID 1360 wrote to memory of 1276	1360	e573a79.exe	backgroundTaskHost.exe
PID 1360 wrote to memory of 4072	1360	e573a79.exe	backgroundTaskHost.exe
PID 1360 wrote to memory of 4004	1360	e573a79.exe	rundll32.exe
PID 1360 wrote to memory of 4268	1360	e573a79.exe	rundll32.exe
PID 1360 wrote to memory of 4268	1360	e573a79.exe	rundll32.exe
PID 4268 wrote to memory of 4592	4268	rundll32.exe	e573cbb.exe
PID 4268 wrote to memory of 4592	4268	rundll32.exe	e573cbb.exe
PID 4268 wrote to memory of 4592	4268	rundll32.exe	e573cbb.exe
PID 4268 wrote to memory of 4088	4268	rundll32.exe	e575719.exe
PID 4268 wrote to memory of 4088	4268	rundll32.exe	e575719.exe
PID 4268 wrote to memory of 4088	4268	rundll32.exe	e575719.exe
PID 4268 wrote to memory of 1376	4268	rundll32.exe	e57589f.exe
PID 4268 wrote to memory of 1376	4268	rundll32.exe	e57589f.exe
PID 4268 wrote to memory of 1376	4268	rundll32.exe	e57589f.exe
PID 1360 wrote to memory of 788	1360	e573a79.exe	fontdrvhost.exe
PID 1360 wrote to memory of 784	1360	e573a79.exe	fontdrvhost.exe
PID 1360 wrote to memory of 336	1360	e573a79.exe	dwm.exe
PID 1360 wrote to memory of 2436	1360	e573a79.exe	sihost.exe
PID 1360 wrote to memory of 2480	1360	e573a79.exe	svchost.exe
PID 1360 wrote to memory of 2728	1360	e573a79.exe	taskhostw.exe
PID 1360 wrote to memory of 3512	1360	e573a79.exe	Explorer.EXE
PID 1360 wrote to memory of 3644	1360	e573a79.exe	svchost.exe
PID 1360 wrote to memory of 3836	1360	e573a79.exe	DllHost.exe
PID 1360 wrote to memory of 3936	1360	e573a79.exe	StartMenuExperienceHost.exe
PID 1360 wrote to memory of 4020	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 408	1360	e573a79.exe	SearchApp.exe
PID 1360 wrote to memory of 3688	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 2056	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4668	1360	e573a79.exe	TextInputHost.exe
PID 1360 wrote to memory of 1276	1360	e573a79.exe	backgroundTaskHost.exe
PID 1360 wrote to memory of 4592	1360	e573a79.exe	e573cbb.exe
PID 1360 wrote to memory of 4592	1360	e573a79.exe	e573cbb.exe
PID 1360 wrote to memory of 5112	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4224	1360	e573a79.exe	RuntimeBroker.exe
PID 1360 wrote to memory of 4088	1360	e573a79.exe	e575719.exe
PID 1360 wrote to memory of 4088	1360	e573a79.exe	e575719.exe
PID 1360 wrote to memory of 1376	1360	e573a79.exe	e57589f.exe
PID 1360 wrote to memory of 1376	1360	e573a79.exe	e57589f.exe
PID 4592 wrote to memory of 788	4592	e573cbb.exe	fontdrvhost.exe
PID 4592 wrote to memory of 784	4592	e573cbb.exe	fontdrvhost.exe
PID 4592 wrote to memory of 336	4592	e573cbb.exe	dwm.exe
PID 4592 wrote to memory of 2436	4592	e573cbb.exe	sihost.exe
PID 4592 wrote to memory of 2480	4592	e573cbb.exe	svchost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

e573cbb.exee57589f.exee573a79.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573cbb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e57589f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e573a79.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2480

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2728

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1afee1e360b83dd26765376a455bba1391cca8302f05cb3dc13f25eff5f0b84b.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1afee1e360b83dd26765376a455bba1391cca8302f05cb3dc13f25eff5f0b84b.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\e573a79.exe
C:\Users\Admin\AppData\Local\Temp\e573a79.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360

C:\Users\Admin\AppData\Local\Temp\e573cbb.exe
C:\Users\Admin\AppData\Local\Temp\e573cbb.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4592

C:\Users\Admin\AppData\Local\Temp\e575719.exe
C:\Users\Admin\AppData\Local\Temp\e575719.exe
4⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\AppData\Local\Temp\e57589f.exe
C:\Users\Admin\AppData\Local\Temp\e57589f.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3936

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2056

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4668

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1276

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e573a79.exe
Filesize
97KB

MD5
7972c1901878995895093e3e84ed9250

SHA1
02e20232176f61ebf1e46340328deeead333b9c8

SHA256
c2d966c566c9ac1ed3060837e0b53885c36e3115ffd9d76b0f9740c1a441a6ad

SHA512
1273e7b6d97bff8adf9b8c9234beb8e5f169d64922013ecf56e824d67d35dd46a52e22383b97e1c99602a9583b39aee88459afe97fa9f63d1adadf72bf88d023

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
2d85cbe901cbc815c4d642126b69abbb

SHA1
575ae81cbcc05f0bb2f162de5bd1381754038234

SHA256
ce74a6d9a146cac99d4883c8a413aac9f99f3d323209d4f6d841f5c8457f9f23

SHA512
c101b0d0ca0ae9d76b36e0760f7305fcd5758c7bbaf640112bcd23ac797f0f5d8b570998cc2c19ada74736a4127c914d8df106abb7040be044e6fd87a5cc9eb1

Download Submit
memory/1360-51-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-20-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1360-11-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-59-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-116-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1360-22-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-34-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/1360-97-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-30-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/1360-95-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/1360-94-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-93-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-19-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-14-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-13-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-8-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-9-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-35-0x00000000037A0000-0x00000000037A2000-memory.dmp

Filesize
8KB

Download
memory/1360-37-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-36-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-38-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-39-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-40-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-61-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-43-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-92-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-48-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-21-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-10-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-42-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-62-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-91-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-85-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-83-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-80-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1360-77-0x0000000000740000-0x00000000017FA000-memory.dmp

Filesize
16.7MB

Download
memory/1376-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1376-74-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1376-176-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1376-72-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4088-71-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4088-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4088-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4088-73-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4088-68-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4268-28-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/4268-24-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/4268-23-0x00000000008D0000-0x00000000008D2000-memory.dmp

Filesize
8KB

Download
memory/4268-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4268-26-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/4592-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4592-64-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4592-128-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4592-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4592-143-0x0000000000B40000-0x0000000001BFA000-memory.dmp

Filesize
16.7MB

Download
memory/4592-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4592-66-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download