sality | 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Size

6.3MB
MD5

b0bd17e3c1447a1f1ad35fddc5007f26
SHA1

7ceb51392d32f113f07300c636112bc311330e38
SHA256

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7
SHA512

707afbec914a32c6285db891f78ae47ded8d24befc72ca71b994b3fb2dce2e31efa002a3c24d904a526040a76c77cb19448e06694c2b54c4cefa206a7c5da95c
SSDEEP

196608:EYub1Ls+UIUwgT4Ot8DS2Dpcbw7lgssa4B:Tub1avPF8JYGlgsjI

Score

10^/10

sality backdoor discovery evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1504-1-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-9-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-15-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-10-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-25-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-28-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-33-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-26-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-16-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-34-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-53-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-54-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-65-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-66-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-67-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-69-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-70-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-71-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-73-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-74-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-80-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-82-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-85-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-87-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-89-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-91-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-98-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-100-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-102-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-104-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-106-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-108-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-111-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-113-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-115-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-117-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/1504-119-0x0000000002210000-0x00000000032CA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1504-1-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-9-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-15-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-10-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-25-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-28-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-33-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-26-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-16-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-34-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-53-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-54-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-65-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-66-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-67-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-69-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-70-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-71-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-73-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-74-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-80-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-82-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-85-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-87-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-89-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-91-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-98-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-100-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-102-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-104-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-106-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-108-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-111-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-113-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-115-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-117-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX
behavioral2/memory/1504-119-0x0000000002210000-0x00000000032CA000-memory.dmp	UPX

Loads dropped DLL 1 IoCs

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

pid process

1604 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

pid	process
1604	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1504-1-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-9-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-15-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-10-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-25-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-28-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-33-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-26-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-16-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-34-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-53-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-54-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-65-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-66-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-67-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-69-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-70-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-71-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-73-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-74-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-80-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-82-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-85-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-87-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-89-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-91-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-98-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-100-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-102-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-104-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-106-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-108-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-111-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-113-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-115-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-117-0x0000000002210000-0x00000000032CA000-memory.dmp	upx
behavioral2/memory/1504-119-0x0000000002210000-0x00000000032CA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Drops file in Windows directory 2 IoCs

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
File created	C:\Windows\e577520	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
File opened for modification	C:\Windows\SYSTEM.INI	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

pid process

1504 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
1504 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

pid	process
1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	pid	process
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Token: SeDebugPrivilege	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	pid	process	target process
PID 1504 wrote to memory of 780	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	fontdrvhost.exe
PID 1504 wrote to memory of 788	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	fontdrvhost.exe
PID 1504 wrote to memory of 336	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	dwm.exe
PID 1504 wrote to memory of 2556	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	sihost.exe
PID 1504 wrote to memory of 2592	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	svchost.exe
PID 1504 wrote to memory of 2680	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	taskhostw.exe
PID 1504 wrote to memory of 3552	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	Explorer.EXE
PID 1504 wrote to memory of 3660	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	svchost.exe
PID 1504 wrote to memory of 3856	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	DllHost.exe
PID 1504 wrote to memory of 3948	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	StartMenuExperienceHost.exe
PID 1504 wrote to memory of 4036	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	RuntimeBroker.exe
PID 1504 wrote to memory of 404	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	SearchApp.exe
PID 1504 wrote to memory of 1604	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
PID 1504 wrote to memory of 1604	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
PID 1504 wrote to memory of 1604	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
PID 1504 wrote to memory of 3564	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	RuntimeBroker.exe
PID 1504 wrote to memory of 4216	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	RuntimeBroker.exe
PID 1504 wrote to memory of 1488	1504	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe	TextInputHost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:336

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2592

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2680

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
"C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504

C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
"C:\Users\Admin\AppData\Local\Temp\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe" -burn.unelevated BurnPipe.{FC931702-FCE8-4F51-8F40-79B9B42C159B} {31F01026-3016-47D3-BD96-7693317C68FA} 1504
3⤵
- Loads dropped DLL
PID:1604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4036

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4216

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E577530_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Filesize
6.2MB

MD5
c87127b3715d0cbcf93e9053797aab84

SHA1
da9978f5e493b20d9d38e958882f47ff047cf527

SHA256
d6b22291baa4a47eaec054c1332c258572c2f7cd9cb961548a46c56aefc0f64c

SHA512
35f04cb369b588d28d777041bb09a7807ce4ecfe0b646af9f54ca9a4e8af9237bfd72132ffdba9e5ab90f35572cf8961c12e4c71dd3338931781bc37be2fede2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E577743_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Filesize
4.7MB

MD5
e203cca88f04427ccedde3e19a1d6042

SHA1
c20076e3b6f357e2ea7a8bcd21fe95b00b528f69

SHA256
18cc5718638859fa541931a696a4d98a560a54635e09623c1ea350a070bebe14

SHA512
62d7255f418d26fda7c5a02c60aa2737c01804ae84e049b4502cad92ad93841929acd264ad7b0d86474dbc1416036404cc64e556aee6a4bf87be1f7d21c2e3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E577753_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Filesize
4.5MB

MD5
cfd198b1020c93305a371e5794728be7

SHA1
538aeacb24454a8635e3a804b33264bcab178fc7

SHA256
fcf39f071f1e4fc2d11cce8c18ce82c41ebbbf22f061f3354c27d9813ab51d56

SHA512
5a11ba9fe8cf56ea10e31989b2c62c2a68fa3ed6cb7916e2a4aaa435448975f0720b3c9d8eb4d45b7025e486024b7fde68f6e187251bd73c0f8615444135d349

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E5777C0_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Filesize
5.3MB

MD5
ed375b54528072ae79471e693e94e46e

SHA1
3c6cda8de4a19ded9c113105ab32d7e3307d4a19

SHA256
244f731ce05dd8d50f70a1be7a3b522c7ef045ce737b806d98410c758bcaf352

SHA512
71ac0da2f565ed23764a0ceb213fc8b01ac7a9e9d634167dcf88d2251f676298312523f43843b9aeeb7d272e7f6de7df39f62940a50d29ab8f3e5ad9d762d3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E5777D0_Rar\363ecffc5be8bafacf76d39495a34e285f9608479e46cc562ea0739cba4dc0c7.exe
Filesize
5.4MB

MD5
fff82ae99134f75e58b76f67ffe2c81a

SHA1
45f3f5f06dcb46140d41a33dc92873c7fc78f57d

SHA256
65e318a8f0bef74d30638f1bc5b84652b8e3017a1ad4c90789986aaf981eb96e

SHA512
310c3851668292d1fefca07d9cc445532fd2e779257539876ff74bb31514b9b3432f403aabe647b294e7a6d4735908d70d7570f5058d4d33eff0363530bff980

Download Submit
C:\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\wixstdba.dll
Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
F:\naxdq.exe
Filesize
97KB

MD5
93eab3703ef53a2a45cfdb0748a45418

SHA1
5c48e0729ee663c79f8524c585c9273ec88e7107

SHA256
24ed991577f06860e15006893827b83dda19be24d37312e80019447674fcd9ff

SHA512
72f767dfba26443d9a5ba3878d4b21bb45d6f97bbf248a3dc44ffebc829115b185fee487c32a5b05d2cb32c9a93b8407a0ada920e82927e092a3593d573bbdb1

Download Submit
memory/1504-73-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-110-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1504-32-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1504-28-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-33-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-31-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1504-26-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-29-0x0000000003F60000-0x0000000003F62000-memory.dmp

Filesize
8KB

Download
memory/1504-16-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-34-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-53-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-54-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-65-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-66-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-67-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-69-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-70-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-71-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-25-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-74-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-80-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-82-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1504-1-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-85-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-87-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-89-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-91-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-98-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-100-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-102-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-104-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-106-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-108-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-30-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/1504-111-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-113-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-115-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-117-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-119-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-10-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-15-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1504-9-0x0000000002210000-0x00000000032CA000-memory.dmp

Filesize
16.7MB

Download
memory/1604-78-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1604-27-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1604-79-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1604-77-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download