aea1dcb3a92cb5d5841f7e03a88f6220829e2df1dae2d147e70aef69d16770fb

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iediagcmd.exe
Size

503KB
MD5

47848682b029e73d50db21b036234db3
SHA1

cfb5e4cf260a4d8ca0daf135429332f7d27c93a3
SHA256

879aebf76db4528f0f4747b38e0cb9ba66ad983c171fb54a4e548ff1c004e459
SHA512

5052094b2033ae5b4a4334f7067086e2266bae5e34f8eef26535e70600c4162b48930ea5040a465511c10eb517ea128211b512fb5822b2b8ca4445498ef828cf
SSDEEP

12288:vjQJGJ17jTmepq1Zi2HDG2YIwgj5rp21ZZ:LQJGJIW05YIww5tK

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3000 netsh.exe

pid	process
3000	netsh.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

dxdiag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe

Drops file in System32 directory 18 IoCs

Processes:

dxdiag.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	dxdiag.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dxdiag.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1308 ipconfig.exe

pid	process
1308	ipconfig.exe

Modifies registry class 35 IoCs

Processes:

dxdiag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\system32\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272677097-406801653-1594978504-1000\{791C251E-0435-448A-9F6B-65FD816313C1}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

iediagcmd.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	iediagcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	iediagcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	iediagcmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	iediagcmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dxdiag.exeiediagcmd.exe

pid process

3628 dxdiag.exe
3628 dxdiag.exe
1996 iediagcmd.exe
1996 iediagcmd.exe

pid	process
3628	dxdiag.exe
3628	dxdiag.exe
1996	iediagcmd.exe
1996	iediagcmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

iediagcmd.exe

description	pid	process
Token: SeBackupPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe
Token: SeSecurityPrivilege	1996	iediagcmd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

iediagcmd.exedxdiag.exe

pid process

1996 iediagcmd.exe
1996 iediagcmd.exe
3628 dxdiag.exe

pid	process
1996	iediagcmd.exe
1996	iediagcmd.exe
3628	dxdiag.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

iediagcmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 3628	1996	iediagcmd.exe	dxdiag.exe
PID 1996 wrote to memory of 3628	1996	iediagcmd.exe	dxdiag.exe
PID 1996 wrote to memory of 1308	1996	iediagcmd.exe	ipconfig.exe
PID 1996 wrote to memory of 1308	1996	iediagcmd.exe	ipconfig.exe
PID 1996 wrote to memory of 5032	1996	iediagcmd.exe	route.exe
PID 1996 wrote to memory of 5032	1996	iediagcmd.exe	route.exe
PID 1996 wrote to memory of 972	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 972	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 3000	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 3000	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 4620	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 4620	1996	iediagcmd.exe	netsh.exe
PID 1996 wrote to memory of 1372	1996	iediagcmd.exe	makecab.exe
PID 1996 wrote to memory of 1372	1996	iediagcmd.exe	makecab.exe

C:\Users\Admin\AppData\Local\Temp\iediagcmd.exe
"C:\Users\Admin\AppData\Local\Temp\iediagcmd.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\dxdiag.exe
  "C:\Windows\system32\dxdiag.exe" /x C:\Users\Admin\AppData\Local\Temp\dxdiag.xml
  2⤵
  - Registers COM server for autorun
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3628
- C:\Windows\SYSTEM32\ipconfig.exe
  "ipconfig" /all
  2⤵
  - Gathers network information
  PID:1308
- C:\Windows\SYSTEM32\route.exe
  "route" print
  2⤵
  PID:5032
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" in tcp show global
  2⤵
  PID:972
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall show rule name=all verbose
  2⤵
  - Modifies Windows Firewall
  PID:3000
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" winsock show catalog
  2⤵
  PID:4620
- C:\Windows\SYSTEM32\makecab.exe
  "makecab.exe" /F "C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt"
  2⤵
  PID:1372

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
b66f813296134a13e5c61fa640ec098c

SHA1
06b6d5a8842c11579b55ecda435e13fca6fde0f4

SHA256
985fd87202a9203b56f5582ac654171fbbc05a93239e9ec5a068c12db6984c7a

SHA512
df8e25c99a9f79bbff52a779e3a251d44931a7ce793a195bcba13aa0586d8a6e7cabd7c80dadd33783031bcfee62c715c4f8acb027cf4b0c4ce6f5efc555840a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEDiag.json

Filesize
26KB

MD5
4faf2d6a4418d2291b88f7a5f95aaf21

SHA1
18153191bf5a59c515a596a8c4ca2cbe07271a36

SHA256
2042b446befdaba3e8100cb82776e703ab046a2951705eafcf10198cf89109a3

SHA512
6ac35160ce3ac92f095286227c8f8a00303a498e7c43877ea859d83ce66df0cda354637d31717bf021b63bba5e815d4a0340e20d7544333b32b15bb98630823f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEDiag.xml

Filesize
2.6MB

MD5
3b32dd4edaa006f6dceabd19da1c906a

SHA1
1b9bd981e36a60ff3f54eb10c771b55816d5012c

SHA256
ead5e0ac3353eadda1acb891db881c9596cf7f0ea4227de7fef921b4ef079e16

SHA512
ecd168114464003c824b9bad7eebe176fd05bec9c88ab5818b59426c6902b704f2bdd7508a24209c3e899873d3389744c88521d42a64e1aeb927ad688dffac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxdiag.xml

Filesize
172KB

MD5
11427623bc5d39438d4f40869cfa48b7

SHA1
d3810ef69bcd23a42f90abe74581fb3604318d5e

SHA256
c6acb50f05891b15dd8449e15fcd3650b9289d8160ea1270d3889206aca4df03

SHA512
8faf217435696726aeb5072ea7ec5af7b54d4cd42b48ee1b05eb3ab5be605b901aee21195083374bebaddd2f12b4e2eb0d2cac9b61a1453d61b82c9bdc07cc69

Download Submit
C:\Users\Admin\AppData\Local\Temp\iediag_makecab_directives.txt

Filesize
515B

MD5
14c148857af11ebcee263a2fb2b359ee

SHA1
710cb526ed69db7fdcc5da6b49241f70101e12fb

SHA256
810a37010bd4e6eed276310610dc4ebc7cc91535edf65e6ba6d9ed6edbe793ac

SHA512
d47ff7bdb40d518cf8daed410f29fea0f990457ed2da25ff2840a3bdcda77abe0b1b9948198a105a217fadbd4e4eed80fd0eb4338db7202892b9b4b910189e12

Download Submit
memory/1996-94-0x0000013E68190000-0x0000013E688E7000-memory.dmp

Filesize
7.3MB

Download
memory/1996-40-0x0000013E68190000-0x0000013E688E7000-memory.dmp

Filesize
7.3MB

Download
memory/1996-1-0x00007FFF03080000-0x00007FFF03B41000-memory.dmp

Filesize
10.8MB

Download
memory/1996-95-0x00007FFF03080000-0x00007FFF03B41000-memory.dmp

Filesize
10.8MB

Download
memory/1996-0-0x00007FF792C60000-0x00007FF792CE4000-memory.dmp

Filesize
528KB

Download
memory/1996-2-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-3-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-4-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-64-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-63-0x0000013E68190000-0x0000013E688E7000-memory.dmp

Filesize
7.3MB

Download
memory/1996-6-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-49-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-33-0x00007FFF03080000-0x00007FFF03B41000-memory.dmp

Filesize
10.8MB

Download
memory/1996-34-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-5-0x0000013E68E00000-0x0000013E68FC2000-memory.dmp

Filesize
1.8MB

Download
memory/1996-38-0x0000013E69500000-0x0000013E69A28000-memory.dmp

Filesize
5.2MB

Download
memory/1996-37-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/1996-39-0x0000013E67620000-0x0000013E67630000-memory.dmp

Filesize
64KB

Download
memory/3628-19-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-7-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-16-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-17-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-15-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-13-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-14-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-8-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-9-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/3628-18-0x000001BDDBAE0000-0x000001BDDBAE1000-memory.dmp

Filesize
4KB

Download
memory/4832-112-0x000001EC25A40000-0x000001EC25A50000-memory.dmp

Filesize
64KB

Download
memory/4832-129-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-130-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-131-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-132-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-133-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-134-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-135-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-136-0x000001EC2DF60000-0x000001EC2DF61000-memory.dmp

Filesize
4KB

Download
memory/4832-128-0x000001EC2DF30000-0x000001EC2DF31000-memory.dmp

Filesize
4KB

Download