457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 20:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
Size

2.7MB
MD5

7e239fd3c0d61ffb614c4466fc0b7ddd
SHA1

e0351865b8c11d43ac4edcd9cfe0ddb1071fa955
SHA256

457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d
SHA512

bf283c954cb727fd22ab9512b3f911a210c24b2ec0241e5f1a3167c250e75e77d0a485dab7ca339243a572f23f9f949c639a1b578281512b354e75d9c79b8c1b
SSDEEP

49152:ITGkQ75QZuTtS0rQMYOQ+q8CEXTG4QrTGHQK9KFeMQ:IKk8WsM0r1QnAK4eKHZ0FeV

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\VF5IA7RM.sys	dxdiag.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2132	64f5509f
2612	dxdiag.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000210000-0x0000000000299000-memory.dmp	upx
behavioral1/files/0x00070000000120bd-2.dat	upx
behavioral1/memory/2132-3-0x0000000000F10000-0x0000000000F99000-memory.dmp	upx
behavioral1/memory/1700-25-0x0000000000210000-0x0000000000299000-memory.dmp	upx
behavioral1/memory/2132-27-0x0000000000F10000-0x0000000000F99000-memory.dmp	upx
behavioral1/memory/1700-49-0x0000000000210000-0x0000000000299000-memory.dmp	upx
behavioral1/memory/2132-56-0x0000000000F10000-0x0000000000F99000-memory.dmp	upx
behavioral1/memory/2132-97-0x0000000000F10000-0x0000000000F99000-memory.dmp	upx
behavioral1/files/0x00070000000120bd-107.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	64f5509f
File created	C:\Windows\system32\ \Windows\System32\ew4K3nCe.sys	dxdiag.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	64f5509f
File created	C:\Windows\Syswow64\64f5509f	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	64f5509f
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	64f5509f

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\248028	64f5509f
File created	C:\Windows\sPotBb.sys	dxdiag.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
364	timeout.exe
2888	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	dxdiag.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	dxdiag.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	64f5509f
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	64f5509f
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	64f5509f
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	64f5509f
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	64f5509f
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	64f5509f
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	64f5509f
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	64f5509f
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	64f5509f
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	64f5509f

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dxdiag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dxdiag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	64f5509f
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	64f5509f
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	64f5509f
2132	64f5509f
2132	64f5509f
2132	64f5509f
2132	64f5509f
2132	64f5509f
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
2132	64f5509f
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
Token: SeTcbPrivilege	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
Token: SeDebugPrivilege	2132	64f5509f
Token: SeTcbPrivilege	2132	64f5509f
Token: SeDebugPrivilege	2132	64f5509f
Token: SeDebugPrivilege	1248	Explorer.EXE
Token: SeDebugPrivilege	1248	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
Token: SeDebugPrivilege	2132	64f5509f
Token: SeDebugPrivilege	2612	dxdiag.exe
Token: SeDebugPrivilege	2612	dxdiag.exe
Token: SeDebugPrivilege	2612	dxdiag.exe
Token: SeIncBasePriorityPrivilege	2132	64f5509f
Token: SeDebugPrivilege	2612	dxdiag.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe
2612	dxdiag.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1248	2132	64f5509f	18
PID 2132 wrote to memory of 1248	2132	64f5509f	18
PID 2132 wrote to memory of 1248	2132	64f5509f	18
PID 2132 wrote to memory of 1248	2132	64f5509f	18
PID 2132 wrote to memory of 1248	2132	64f5509f	18
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 1248 wrote to memory of 2612	1248	Explorer.EXE	29
PID 2132 wrote to memory of 420	2132	64f5509f	4
PID 2132 wrote to memory of 420	2132	64f5509f	4
PID 2132 wrote to memory of 420	2132	64f5509f	4
PID 2132 wrote to memory of 420	2132	64f5509f	4
PID 2132 wrote to memory of 420	2132	64f5509f	4
PID 1700 wrote to memory of 2520	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe	31
PID 1700 wrote to memory of 2520	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe	31
PID 1700 wrote to memory of 2520	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe	31
PID 1700 wrote to memory of 2520	1700	457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe	31
PID 2520 wrote to memory of 2888	2520	cmd.exe	33
PID 2520 wrote to memory of 2888	2520	cmd.exe	33
PID 2520 wrote to memory of 2888	2520	cmd.exe	33
PID 2520 wrote to memory of 2888	2520	cmd.exe	33
PID 2132 wrote to memory of 1472	2132	64f5509f	35
PID 2132 wrote to memory of 1472	2132	64f5509f	35
PID 2132 wrote to memory of 1472	2132	64f5509f	35
PID 2132 wrote to memory of 1472	2132	64f5509f	35
PID 1472 wrote to memory of 364	1472	cmd.exe	37
PID 1472 wrote to memory of 364	1472	cmd.exe	37
PID 1472 wrote to memory of 364	1472	cmd.exe	37
PID 1472 wrote to memory of 364	1472	cmd.exe	37
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18
PID 2612 wrote to memory of 1248	2612	dxdiag.exe	18

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe
  "C:\Users\Admin\AppData\Local\Temp\457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\457bdc715b23ccb6da72828aad98306e2ab5f15063214ea8f43994637dd1d16d.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2888
- C:\ProgramData\dxdiag.exe
  "C:\ProgramData\dxdiag.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2612

C:\Windows\Syswow64\64f5509f
C:\Windows\Syswow64\64f5509f
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\64f5509f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dxdiag.exe

Filesize
335KB

MD5
6c56354e720e5c2ac4ba1233d3bc6611

SHA1
0500ba7468b47ff355b9e4910802af372b35b20f

SHA256
9778e7100ffe0fd83339fb25fd18b0120e3c8abac529a7a748370fd57e953e4c

SHA512
e79b5ee3763b2d9abfa7276f90f3b8bdbd6c4d9049d8b63f850cfdcf5fbf27abd4afe7bab68ae8d7936815bcbbde29df66dd33ffcd86cf7339154b6fd3d352d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CCE.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\64f5509f

Filesize
2.7MB

MD5
2b7c092dc7d21d143cc9c075c8a5fea0

SHA1
34a74cbf93f8bfafc2e4be6b57487e1244880a13

SHA256
33027a75da62fafe21728c4426ec754951452ff1ac06b0b07b80f8bb57129713

SHA512
66bfa6b2dc89bda9cff88aa7827daf6523453e0bd6ec164cba96dc61802147e5da61b5df00aa4dce9cb57766310aa485796f513bbde09e3e7d9ac401d265c3d4

Download Submit
C:\Windows\Syswow64\64f5509f

Filesize
2.7MB

MD5
2b7c092dc7d21d143cc9c075c8a5fea0

SHA1
34a74cbf93f8bfafc2e4be6b57487e1244880a13

SHA256
33027a75da62fafe21728c4426ec754951452ff1ac06b0b07b80f8bb57129713

SHA512
66bfa6b2dc89bda9cff88aa7827daf6523453e0bd6ec164cba96dc61802147e5da61b5df00aa4dce9cb57766310aa485796f513bbde09e3e7d9ac401d265c3d4

Download Submit
C:\Windows\Temp\Tar8153.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\ProgramData\dxdiag.exe

Filesize
335KB

MD5
6c56354e720e5c2ac4ba1233d3bc6611

SHA1
0500ba7468b47ff355b9e4910802af372b35b20f

SHA256
9778e7100ffe0fd83339fb25fd18b0120e3c8abac529a7a748370fd57e953e4c

SHA512
e79b5ee3763b2d9abfa7276f90f3b8bdbd6c4d9049d8b63f850cfdcf5fbf27abd4afe7bab68ae8d7936815bcbbde29df66dd33ffcd86cf7339154b6fd3d352d4

Download Submit
memory/420-48-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/420-46-0x0000000000760000-0x0000000000763000-memory.dmp

Filesize
12KB

Download
memory/1248-150-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-144-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-168-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-26-0x0000000007140000-0x0000000007237000-memory.dmp

Filesize
988KB

Download
memory/1248-166-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-164-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-162-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-160-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-125-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-158-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-131-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-24-0x0000000002AD0000-0x0000000002AD3000-memory.dmp

Filesize
12KB

Download
memory/1248-133-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-136-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-23-0x0000000002AD0000-0x0000000002AD3000-memory.dmp

Filesize
12KB

Download
memory/1248-79-0x0000000007140000-0x0000000007237000-memory.dmp

Filesize
988KB

Download
memory/1248-21-0x0000000002AD0000-0x0000000002AD3000-memory.dmp

Filesize
12KB

Download
memory/1248-138-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-156-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-140-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-154-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-152-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-129-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-148-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-146-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1248-142-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1700-49-0x0000000000210000-0x0000000000299000-memory.dmp

Filesize
548KB

Download
memory/1700-25-0x0000000000210000-0x0000000000299000-memory.dmp

Filesize
548KB

Download
memory/1700-0-0x0000000000210000-0x0000000000299000-memory.dmp

Filesize
548KB

Download
memory/2132-27-0x0000000000F10000-0x0000000000F99000-memory.dmp

Filesize
548KB

Download
memory/2132-3-0x0000000000F10000-0x0000000000F99000-memory.dmp

Filesize
548KB

Download
memory/2132-97-0x0000000000F10000-0x0000000000F99000-memory.dmp

Filesize
548KB

Download
memory/2132-56-0x0000000000F10000-0x0000000000F99000-memory.dmp

Filesize
548KB

Download
memory/2612-43-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2612-128-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2612-126-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2612-124-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-123-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-121-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download
memory/2612-119-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download
memory/2612-135-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/2612-118-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download
memory/2612-117-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download
memory/2612-116-0x0000000001E90000-0x0000000001E9F000-memory.dmp

Filesize
60KB

Download
memory/2612-115-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2612-114-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-113-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-112-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-111-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2612-110-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/2612-108-0x0000000036EE0000-0x0000000036EF0000-memory.dmp

Filesize
64KB

Download
memory/2612-96-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2612-44-0x000007FEBE840000-0x000007FEBE850000-memory.dmp

Filesize
64KB

Download
memory/2612-42-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2612-40-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2612-31-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2612-33-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2612-36-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2612-262-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2612-263-0x0000000001E90000-0x0000000001E9F000-memory.dmp

Filesize
60KB

Download
memory/2612-264-0x0000000003B90000-0x0000000003C30000-memory.dmp

Filesize
640KB

Download