Analysis
-
max time kernel
1800s -
max time network
1603s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-06-2022 15:16
Static task
static1
Behavioral task
behavioral1
Sample
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
Resource
win7-20220414-en
General
-
Target
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe
-
Size
206KB
-
MD5
fb004cbf4dc92676367d9cf6a28ecc71
-
SHA1
4bff625571dbc7b695b49fa94556ab0d130519aa
-
SHA256
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541
-
SHA512
9c6102e0cee339d1a0b4baee80786459a22486f3fa029c1ff9e8f0a8f165d36aee0f8489435545fba9b68162683d63764d812c40d7bc1ab4ded64efad7fafefd
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Sality - Fake Opera User-Agent
suricata: ET MALWARE Sality - Fake Opera User-Agent
-
suricata: ET MALWARE Win32.Sality-GR Checkin
suricata: ET MALWARE Win32.Sality-GR Checkin
-
Contacts a large (845) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" Au_.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
Au_.exepid process 892 Au_.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Processes:
resource yara_rule behavioral2/memory/4896-131-0x0000000002600000-0x0000000003633000-memory.dmp upx behavioral2/memory/4896-133-0x0000000002600000-0x0000000003633000-memory.dmp upx behavioral2/memory/892-140-0x0000000005400000-0x0000000006433000-memory.dmp upx behavioral2/memory/892-143-0x0000000005400000-0x0000000006433000-memory.dmp upx behavioral2/memory/892-145-0x0000000005400000-0x0000000006433000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
Au_.exepid process 892 Au_.exe -
Processes:
Au_.exea96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe -
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Au_.exedescription ioc process File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jvisualvm.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\rmid.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\keytool.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\policytool.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\protocolhandler.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jabswitch.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\OLicenseHeartbeat.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\GRAPH.EXE Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\VPREVIEW.EXE Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\pack200.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\rmid.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\AppVDllSurrogate64.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\ktab.exe Au_.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javah.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\serialver.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\officeappguardwin32.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX64\MICROSOFT ANALYSIS SERVICES\AS OLEDB\140\SQLDumper.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\Common.DBConnection.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javap.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\ADDINS\MICROSOFT POWER QUERY FOR EXCEL INTEGRATED\BIN\Microsoft.Mashup.Container.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\orbd.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\javaw.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoasb.exe Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\OFFICE16\LICLUA.EXE Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\servertool.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\xjc.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\FLTLDR.EXE Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jsadebugd.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\orbd.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\SELFCERT.EXE Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\rmiregistry.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\policytool.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\CLIENT\AppVLP.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\javafxpackager.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jinfo.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\policytool.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\LIB\VISUALVM\PLATFORM\LIB\nbexec64.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\INTEGRATION\Integrator.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\misc.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOHTMED.EXE Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jarsigner.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\jrunscript.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\servertool.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\OFFICE16\MSOXMLED.EXE Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESCOMMONX64\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE Au_.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VSTO\10.0\VSTOInstaller.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\rmiregistry.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoadfsb.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\orbd.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\rmiregistry.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\JRE\BIN\javaw.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\java.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JRE1.8.0_66\BIN\javaws.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\keytool.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\wsgen.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\msoia.exe Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\OFFICE16\MSOUC.EXE Au_.exe File opened for modification C:\PROGRAM FILES\MICROSOFT OFFICE\ROOT\VFS\PROGRAMFILESX86\MICROSOFT OFFICE\OFFICE16\DCF\Common.DBConnection64.exe Au_.exe File opened for modification C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\chrome_proxy.exe Au_.exe File opened for modification C:\PROGRAM FILES\JAVA\JDK1.8.0_66\BIN\java-rmi.exe Au_.exe -
Drops file in Windows directory 1 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exepid process 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe 892 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exedescription pid process Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Token: SeDebugPrivilege 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription pid process target process PID 4896 wrote to memory of 2308 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe netsh.exe PID 4896 wrote to memory of 2308 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe netsh.exe PID 4896 wrote to memory of 2308 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe netsh.exe PID 4896 wrote to memory of 804 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe fontdrvhost.exe PID 4896 wrote to memory of 808 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe fontdrvhost.exe PID 4896 wrote to memory of 64 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe dwm.exe PID 4896 wrote to memory of 2332 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe sihost.exe PID 4896 wrote to memory of 2344 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe svchost.exe PID 4896 wrote to memory of 2464 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe taskhostw.exe PID 4896 wrote to memory of 2432 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Explorer.EXE PID 4896 wrote to memory of 3188 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe svchost.exe PID 4896 wrote to memory of 3384 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe DllHost.exe PID 4896 wrote to memory of 3484 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe StartMenuExperienceHost.exe PID 4896 wrote to memory of 3548 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe RuntimeBroker.exe PID 4896 wrote to memory of 3632 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe SearchApp.exe PID 4896 wrote to memory of 3820 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe RuntimeBroker.exe PID 4896 wrote to memory of 4536 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe RuntimeBroker.exe PID 4896 wrote to memory of 2308 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe netsh.exe PID 4896 wrote to memory of 2308 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe netsh.exe PID 4896 wrote to memory of 892 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Au_.exe PID 4896 wrote to memory of 892 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Au_.exe PID 4896 wrote to memory of 892 4896 a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Au_.exe PID 892 wrote to memory of 2248 892 Au_.exe netsh.exe PID 892 wrote to memory of 2248 892 Au_.exe netsh.exe PID 892 wrote to memory of 2248 892 Au_.exe netsh.exe PID 892 wrote to memory of 804 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 808 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 64 892 Au_.exe dwm.exe PID 892 wrote to memory of 2332 892 Au_.exe sihost.exe PID 892 wrote to memory of 2344 892 Au_.exe svchost.exe PID 892 wrote to memory of 2464 892 Au_.exe taskhostw.exe PID 892 wrote to memory of 2432 892 Au_.exe Explorer.EXE PID 892 wrote to memory of 3188 892 Au_.exe svchost.exe PID 892 wrote to memory of 3384 892 Au_.exe DllHost.exe PID 892 wrote to memory of 3484 892 Au_.exe StartMenuExperienceHost.exe PID 892 wrote to memory of 3548 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 3632 892 Au_.exe SearchApp.exe PID 892 wrote to memory of 3820 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 4536 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 2248 892 Au_.exe netsh.exe PID 892 wrote to memory of 2248 892 Au_.exe netsh.exe PID 892 wrote to memory of 804 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 808 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 64 892 Au_.exe dwm.exe PID 892 wrote to memory of 2332 892 Au_.exe sihost.exe PID 892 wrote to memory of 2344 892 Au_.exe svchost.exe PID 892 wrote to memory of 2464 892 Au_.exe taskhostw.exe PID 892 wrote to memory of 2432 892 Au_.exe Explorer.EXE PID 892 wrote to memory of 3188 892 Au_.exe svchost.exe PID 892 wrote to memory of 3384 892 Au_.exe DllHost.exe PID 892 wrote to memory of 3484 892 Au_.exe StartMenuExperienceHost.exe PID 892 wrote to memory of 3548 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 3632 892 Au_.exe SearchApp.exe PID 892 wrote to memory of 3820 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 4536 892 Au_.exe RuntimeBroker.exe PID 892 wrote to memory of 804 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 808 892 Au_.exe fontdrvhost.exe PID 892 wrote to memory of 64 892 Au_.exe dwm.exe PID 892 wrote to memory of 2332 892 Au_.exe sihost.exe PID 892 wrote to memory of 2344 892 Au_.exe svchost.exe PID 892 wrote to memory of 2464 892 Au_.exe taskhostw.exe PID 892 wrote to memory of 2432 892 Au_.exe Explorer.EXE PID 892 wrote to memory of 3188 892 Au_.exe svchost.exe PID 892 wrote to memory of 3384 892 Au_.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeAu_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe"C:\Users\Admin\AppData\Local\Temp\a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE"4⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E56CE41_Rar\a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541.exeFilesize
134KB
MD54cd572bae4538eeaf5df3b89af9642c3
SHA1fd6a663c724fb14a4cee5cee674e72b255119c2d
SHA25655e5ec0a25b942f59f3c51f786a98df371f965a01957e2b97b7de0355fb498b4
SHA51242ea2c18e171a727ae7bc39af4f2214c119cf60dff35c363d635a4307296d4397db2277370237a029c8e73ce1ed5e5b64c80a5aff8406ee3c207f70da39fef10
-
C:\Users\Admin\AppData\Local\Temp\nsnCFE9.tmp\LangDLL.dllFilesize
5KB
MD57e1f6029e28f67c71c585e981611ba7c
SHA17c6803a9611378d4beb5faa4bc0814743437d983
SHA256c5c634ac2ba038d810f2d8464ab0e2ef488ceac538c5b46376fdd6ed03358dd3
SHA512bb423020c833842729986ca230145e40eebd0797e84097e24bdeedf73587a56f05fa57b216e39579373794b13748bf7d2495ac6514f8742890cd1fa0c86726c1
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exeFilesize
206KB
MD5fb004cbf4dc92676367d9cf6a28ecc71
SHA14bff625571dbc7b695b49fa94556ab0d130519aa
SHA256a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541
SHA5129c6102e0cee339d1a0b4baee80786459a22486f3fa029c1ff9e8f0a8f165d36aee0f8489435545fba9b68162683d63764d812c40d7bc1ab4ded64efad7fafefd
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exeFilesize
206KB
MD5fb004cbf4dc92676367d9cf6a28ecc71
SHA14bff625571dbc7b695b49fa94556ab0d130519aa
SHA256a96216a59491a4eddf37491eb10a9b215124315305036cb268033c7ffe4e9541
SHA5129c6102e0cee339d1a0b4baee80786459a22486f3fa029c1ff9e8f0a8f165d36aee0f8489435545fba9b68162683d63764d812c40d7bc1ab4ded64efad7fafefd
-
C:\Windows\SYSTEM.INIFilesize
257B
MD53be0259c8f3a9e0acd4ebca1002aaa63
SHA11aac6327a02ca9bff1a38b422e5fbd267c966fce
SHA2566ba56d4b89056626365e202c851d38e756c1b6dc684f42e6fe0918ababb6489b
SHA512ef8c1132f791e4229ec1be81e0bc8b59f456012bc2c70f42b6c6bd80e2b991cfaf6410d09e08a7e0a3c3c2761edf26dfd83ff1c8f61e52b74ec0b2387df9a65d
-
memory/364-159-0x0000000000000000-mapping.dmp
-
memory/364-160-0x00000000001B0000-0x00000000001C7000-memory.dmpFilesize
92KB
-
memory/892-145-0x0000000005400000-0x0000000006433000-memory.dmpFilesize
16.2MB
-
memory/892-156-0x0000000000400000-0x0000000000662000-memory.dmpFilesize
2.4MB
-
memory/892-139-0x0000000000400000-0x0000000000662000-memory.dmpFilesize
2.4MB
-
memory/892-140-0x0000000005400000-0x0000000006433000-memory.dmpFilesize
16.2MB
-
memory/892-143-0x0000000005400000-0x0000000006433000-memory.dmpFilesize
16.2MB
-
memory/892-134-0x0000000000000000-mapping.dmp
-
memory/1804-151-0x0000000000960000-0x0000000000977000-memory.dmpFilesize
92KB
-
memory/1804-150-0x0000000000000000-mapping.dmp
-
memory/2248-142-0x0000000000000000-mapping.dmp
-
memory/2308-132-0x0000000000000000-mapping.dmp
-
memory/2372-163-0x0000000000000000-mapping.dmp
-
memory/2372-164-0x0000000000F30000-0x0000000000F47000-memory.dmpFilesize
92KB
-
memory/3152-154-0x0000000000000000-mapping.dmp
-
memory/3152-155-0x0000000001040000-0x0000000001057000-memory.dmpFilesize
92KB
-
memory/3420-168-0x0000000001000000-0x0000000001017000-memory.dmpFilesize
92KB
-
memory/3420-167-0x0000000000000000-mapping.dmp
-
memory/3448-146-0x0000000000000000-mapping.dmp
-
memory/3448-147-0x0000000001010000-0x0000000001027000-memory.dmpFilesize
92KB
-
memory/3628-153-0x00000000005B0000-0x00000000005C7000-memory.dmpFilesize
92KB
-
memory/3628-152-0x0000000000000000-mapping.dmp
-
memory/4016-162-0x0000000000A20000-0x0000000000A37000-memory.dmpFilesize
92KB
-
memory/4016-161-0x0000000000000000-mapping.dmp
-
memory/4400-148-0x0000000000000000-mapping.dmp
-
memory/4400-149-0x0000000001240000-0x0000000001257000-memory.dmpFilesize
92KB
-
memory/4560-165-0x0000000000000000-mapping.dmp
-
memory/4560-166-0x0000000000940000-0x0000000000957000-memory.dmpFilesize
92KB
-
memory/4572-158-0x00000000004D0000-0x00000000004E7000-memory.dmpFilesize
92KB
-
memory/4572-157-0x0000000000000000-mapping.dmp
-
memory/4896-130-0x0000000000400000-0x0000000000662000-memory.dmpFilesize
2.4MB
-
memory/4896-137-0x0000000000400000-0x0000000000662000-memory.dmpFilesize
2.4MB
-
memory/4896-133-0x0000000002600000-0x0000000003633000-memory.dmpFilesize
16.2MB
-
memory/4896-131-0x0000000002600000-0x0000000003633000-memory.dmpFilesize
16.2MB