Analysis
-
max time kernel
40s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 20:17
Static task
static1
Behavioral task
behavioral1
Sample
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe
Resource
win7-20240221-en
General
-
Target
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe
-
Size
1.4MB
-
MD5
325498b217d0b0ec66422357f0481dfa
-
SHA1
c85f1a5a0fec0d752525edc810ae2e96b6a5375c
-
SHA256
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5
-
SHA512
41a00b502303d06fad9f86a94c74f8cd84984a6f91e1c100df96866c21d5ad071d1067623b8332a34dd57cb8c8802377b14cbe6013c189bb13f41394f8156e91
-
SSDEEP
24576:dO2uYj3kfi6KUjjcbnB7lY1SUkhYigJI1f+avnDKfydfqf0U3J:+s6FcbnDb4JI1f+sDKfydif0S
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe -
Blocklisted process makes network request 1 IoCs
Processes:
Rundll32.exeflow pid process 9 4640 Rundll32.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exepid process 4752 system.exe 3536 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Loads dropped DLL 3 IoCs
Processes:
Rundll32.exeRundll32.exepid process 4736 Rundll32.exe 4640 Rundll32.exe 4640 Rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/4752-10-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-12-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-15-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-17-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-29-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-40-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-48-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-53-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-50-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-54-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-55-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-56-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-60-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4752-66-0x0000000002190000-0x000000000324A000-memory.dmp upx behavioral2/memory/4416-93-0x0000000002E50000-0x0000000003F0A000-memory.dmp upx behavioral2/memory/4416-95-0x0000000002E50000-0x0000000003F0A000-memory.dmp upx behavioral2/memory/4416-96-0x0000000002E50000-0x0000000003F0A000-memory.dmp upx behavioral2/memory/4416-97-0x0000000002E50000-0x0000000003F0A000-memory.dmp upx behavioral2/memory/4416-180-0x0000000002E50000-0x0000000003F0A000-memory.dmp upx -
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe" Rundll32.exe -
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Enumerates connected drives 3 TTPs 5 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exeRundll32.exedescription ioc process File opened (read-only) \??\H: 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe File opened (read-only) \??\D: Rundll32.exe File opened (read-only) \??\F: Rundll32.exe File opened (read-only) \??\E: 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe File opened (read-only) \??\G: 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process File opened for modification \??\PhysicalDrive0 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Drops file in System32 directory 3 IoCs
Processes:
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exesystem.exedescription ioc process File created C:\Windows\SysWOW64\system.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe File created C:\Windows\SysWOW64\nuvcrgaa.dll system.exe File created C:\Windows\SysWOW64\wtbhrgaa.dll system.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Rundll32.exedescription ioc process File opened for modification C:\Program Files\KAV\CDriver.sys Rundll32.exe File opened for modification C:\Program Files\KAV\CDriver.Inf Rundll32.exe -
Drops file in Windows directory 3 IoCs
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process File created C:\Windows\e580990 system.exe File opened for modification C:\Windows\SYSTEM.INI system.exe File created C:\Windows\e58369b 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4836 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 Rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc Rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
system.exeRundll32.exeRundll32.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exepid process 4752 system.exe 4752 system.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4736 Rundll32.exe 4640 Rundll32.exe 4640 Rundll32.exe 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exepid process 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe Token: SeDebugPrivilege 4752 system.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exesystem.exeRundll32.exenet.exenet.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription pid process target process PID 4416 wrote to memory of 4752 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe system.exe PID 4416 wrote to memory of 4752 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe system.exe PID 4416 wrote to memory of 4752 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe system.exe PID 4752 wrote to memory of 4736 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 4736 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 4736 4752 system.exe Rundll32.exe PID 4736 wrote to memory of 2912 4736 Rundll32.exe net.exe PID 4736 wrote to memory of 2912 4736 Rundll32.exe net.exe PID 4736 wrote to memory of 2912 4736 Rundll32.exe net.exe PID 4736 wrote to memory of 1536 4736 Rundll32.exe net.exe PID 4736 wrote to memory of 1536 4736 Rundll32.exe net.exe PID 4736 wrote to memory of 1536 4736 Rundll32.exe net.exe PID 4752 wrote to memory of 796 4752 system.exe fontdrvhost.exe PID 4752 wrote to memory of 792 4752 system.exe fontdrvhost.exe PID 4752 wrote to memory of 388 4752 system.exe dwm.exe PID 4752 wrote to memory of 2432 4752 system.exe sihost.exe PID 4752 wrote to memory of 2444 4752 system.exe svchost.exe PID 4752 wrote to memory of 2536 4752 system.exe taskhostw.exe PID 4752 wrote to memory of 3268 4752 system.exe Explorer.EXE PID 4752 wrote to memory of 3580 4752 system.exe svchost.exe PID 4752 wrote to memory of 3772 4752 system.exe DllHost.exe PID 4752 wrote to memory of 3892 4752 system.exe StartMenuExperienceHost.exe PID 4752 wrote to memory of 3972 4752 system.exe RuntimeBroker.exe PID 4752 wrote to memory of 4088 4752 system.exe SearchApp.exe PID 4752 wrote to memory of 4192 4752 system.exe RuntimeBroker.exe PID 4752 wrote to memory of 4812 4752 system.exe RuntimeBroker.exe PID 4752 wrote to memory of 4580 4752 system.exe TextInputHost.exe PID 4752 wrote to memory of 5052 4752 system.exe msedge.exe PID 4752 wrote to memory of 3984 4752 system.exe msedge.exe PID 4752 wrote to memory of 2472 4752 system.exe msedge.exe PID 4752 wrote to memory of 4824 4752 system.exe msedge.exe PID 4752 wrote to memory of 3880 4752 system.exe msedge.exe PID 4752 wrote to memory of 4112 4752 system.exe msedge.exe PID 4752 wrote to memory of 4844 4752 system.exe msedge.exe PID 4752 wrote to memory of 4416 4752 system.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe PID 4752 wrote to memory of 4416 4752 system.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe PID 4752 wrote to memory of 4736 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 4736 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 2912 4752 system.exe net.exe PID 4752 wrote to memory of 2912 4752 system.exe net.exe PID 1536 wrote to memory of 4396 1536 net.exe net1.exe PID 1536 wrote to memory of 4396 1536 net.exe net1.exe PID 1536 wrote to memory of 4396 1536 net.exe net1.exe PID 2912 wrote to memory of 4276 2912 net.exe net1.exe PID 2912 wrote to memory of 4276 2912 net.exe net1.exe PID 2912 wrote to memory of 4276 2912 net.exe net1.exe PID 4752 wrote to memory of 1536 4752 system.exe net.exe PID 4752 wrote to memory of 1536 4752 system.exe net.exe PID 4752 wrote to memory of 1396 4752 system.exe sihclient.exe PID 4752 wrote to memory of 4136 4752 system.exe Conhost.exe PID 4736 wrote to memory of 4836 4736 Rundll32.exe sc.exe PID 4736 wrote to memory of 4836 4736 Rundll32.exe sc.exe PID 4736 wrote to memory of 4836 4736 Rundll32.exe sc.exe PID 4752 wrote to memory of 4640 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 4640 4752 system.exe Rundll32.exe PID 4752 wrote to memory of 4640 4752 system.exe Rundll32.exe PID 4416 wrote to memory of 3536 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe PID 4416 wrote to memory of 3536 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe PID 4416 wrote to memory of 3536 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe PID 3536 wrote to memory of 3348 3536 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe msedge.exe PID 3536 wrote to memory of 3348 3536 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe msedge.exe PID 4416 wrote to memory of 796 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe fontdrvhost.exe PID 4416 wrote to memory of 792 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe fontdrvhost.exe PID 4416 wrote to memory of 388 4416 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe dwm.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
system.exe9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2444
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2536
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe"C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4416 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4752 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\nuvcrgaa.dll Exucute4⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\net.exenet stop WinDefend5⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4136
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop WinDefend6⤵PID:4276
-
C:\Windows\SysWOW64\net.exenet stop MpsSvc5⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MpsSvc6⤵PID:4396
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop PolicyAgent5⤵
- Launches sc.exe
PID:4836 -
C:\Windows\SysWOW64\Rundll32.exeRundll32 C:\Windows\system32\wtbhrgaa.dll Exucute4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exeC:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://baoku.360.cn/4⤵PID:3348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4812
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵PID:3984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2244 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:22⤵PID:2472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2468 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵PID:3880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5204 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5416 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2052 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:2668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2144 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:4200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5744 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5876 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5396 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:12⤵PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4620 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵PID:2520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6124 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵PID:4556
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv CS5xfzsoDUSBZ/cngqUv2A.0.21⤵PID:1396
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\249A.tmpFilesize
4.3MB
MD56c7cdd25c2cb0073306eb22aebfc663f
SHA1a1eba8ab49272b9852fe6a543677e8af36271248
SHA25658280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705
SHA51217344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6
-
C:\Users\Admin\AppData\Local\Temp\9dff5488ebde401913d3fadf77a904719a97e8538990e9653a1f1a012d4ab9a5.exeFilesize
604KB
MD50379e70afd7d57a717a167aba8f2bf18
SHA102ac6d57f1eb69553ed5ec286af5d170e21fad7e
SHA2564aeb1dd860b8437a4ac3adc63516d33634613f527b266bd205380bf9c399d287
SHA51272ae74cedf89d7cae83d72e52a58ec7a4aac8313a4e5b24743f6cceea1551fa9d9922bceeac57ad2a95e153f9bcf9df9f5c91e275422106de1f56394951f71b8
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5481b082183b5e69532661442bb872f6e
SHA1dad2aa18e4c85a7998f2145f98fed1a49259e494
SHA256ec9a681ed543a26ded60c9d5b599693c66a3784f3fdabdc8f2c327af8bbae48f
SHA5127dd4341ecbaab9b7a16e3a10aee41394be05ec12004195e0d7e78b01aabc05e724d0ff974761f4373b4251ad55ecfa88695918899df1dec947407c9760d3e7bb
-
C:\Windows\SysWOW64\nuvcrgaa.dllFilesize
57KB
MD5c848f68231f5ac20c4245f84079a9759
SHA12a11d803f5103534902419b9e8b54a0144bc3551
SHA2568158733f86af1ffcf56df01831c69cf18effa94a77acd51189a7ba364a1d9f92
SHA512bae7ae9269565186e78609613d4406553f8848bf96e853118704bca0908a0db04907d52d1440cce2c8f9061740ba0a16b091ea3f71bf012e9b2368fb1d751845
-
C:\Windows\SysWOW64\system.exeFilesize
860KB
MD589a618337b7842fc9d21840d031901e7
SHA104adb161ed30732d4fa0416aa6f82b94c21a1e51
SHA256084021e8c8914a1be6a55d107fecb45495ea87d3702e5bf17ae14121993e3a25
SHA512cd9e30d4ad5644a61ff8bc938a09d56852f830978c9d0a2d8dc7866953d3909f248f4d200abb89cec7f0fa18f1aa6c0abe5cacb9c8aa4faf3deb94640ce5f1fb
-
C:\Windows\SysWOW64\wtbhrgaa.dllFilesize
18KB
MD5921039f6ac6a00846b4051b541001d03
SHA11667e66311f8a3528bb12de1afb6a8f23e45c9b0
SHA2565f3169f76a37f227621e96d263d52ca15e4462f73a9a6f8968c9689ec63e78bc
SHA51280efcaf4007290f25ab789b721ad18ee401cb99999ee79e1cc7931c7a31ebd753016266025fb159a76efa436fac912b7b5254aed4f8c5e6aaaf2c83365f7b4a9
-
F:\yvgak.pifFilesize
97KB
MD55b64b14b6e8c85e6c7b79d63d7743302
SHA18a992c7654fca79ee90ac2e6ad85cb49d14d1e8c
SHA256013878d38fc2c451ed2b83db64604b8258d7159d39a0472484fe89184f73fdf2
SHA512b505302cfdb9034881aa9864e015c3d07027d88d4d30b0eb3d31e3e9b211699134a5fd171b166dcd03854f328b7276fb3282be0969323cbf41e28a3edec1064f
-
memory/1536-49-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/1536-47-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/1536-43-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2912-45-0x0000000000E40000-0x0000000000E42000-memory.dmpFilesize
8KB
-
memory/2912-57-0x0000000000E40000-0x0000000000E42000-memory.dmpFilesize
8KB
-
memory/2912-39-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/3536-183-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/3536-91-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/3536-113-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/3536-102-0x0000000002A70000-0x0000000002A71000-memory.dmpFilesize
4KB
-
memory/3536-103-0x0000000002A20000-0x0000000002A22000-memory.dmpFilesize
8KB
-
memory/4416-19-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-16-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-180-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-0-0x0000000000670000-0x00000000007E4000-memory.dmpFilesize
1.5MB
-
memory/4416-18-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/4416-111-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/4416-97-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-96-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-95-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-93-0x0000000002E50000-0x0000000003F0A000-memory.dmpFilesize
16.7MB
-
memory/4416-42-0x0000000000670000-0x00000000007E4000-memory.dmpFilesize
1.5MB
-
memory/4640-112-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4640-99-0x0000000003770000-0x0000000003771000-memory.dmpFilesize
4KB
-
memory/4640-100-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4640-182-0x00000000036E0000-0x00000000036E2000-memory.dmpFilesize
8KB
-
memory/4736-37-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/4736-61-0x0000000002F00000-0x0000000002F02000-memory.dmpFilesize
8KB
-
memory/4736-30-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/4752-48-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-40-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-60-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-56-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-55-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-54-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-50-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-53-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-66-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-73-0x0000000003380000-0x0000000003382000-memory.dmpFilesize
8KB
-
memory/4752-82-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4752-29-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-28-0x0000000003380000-0x0000000003382000-memory.dmpFilesize
8KB
-
memory/4752-17-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-22-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/4752-15-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-12-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-10-0x0000000002190000-0x000000000324A000-memory.dmpFilesize
16.7MB
-
memory/4752-4-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB