95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
09/10/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
Size

2.7MB
MD5

40420292a6806912eca11bd33bbd6e41
SHA1

d9f970de792fb4e724d34b4b335dc81ed8e71d23
SHA256

95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a
SHA512

5c8a4227a7e9b40c837e7a96368cfaecc0d81acedce9ce0f4a7f53f2a89af53d6b95ecb439f12c85e6cbbb3ea7af0fc239d6144b2852e0cb7f8ed31ccd6a6a97
SSDEEP

49152:ITGkQU5QZuTtS0rQMYOQ+q8CEGTG4QoTGHQV9KFeMz:IKkDWsM0r1QnJK4ZKHq0FeS

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\QNP3IQPU.sys	powercfg.exe

Deletes itself 1 IoCs

pid	Process
1164	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	d95c7453
2764	powercfg.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000C50000-0x0000000000CD9000-memory.dmp	upx
behavioral1/files/0x000b000000012021-2.dat	upx
behavioral1/memory/2392-3-0x0000000001040000-0x00000000010C9000-memory.dmp	upx
behavioral1/memory/1680-46-0x0000000000C50000-0x0000000000CD9000-memory.dmp	upx
behavioral1/memory/2392-49-0x0000000001040000-0x00000000010C9000-memory.dmp	upx
behavioral1/memory/1680-53-0x0000000000C50000-0x0000000000CD9000-memory.dmp	upx
behavioral1/memory/2392-82-0x0000000001040000-0x00000000010C9000-memory.dmp	upx
behavioral1/memory/2392-106-0x0000000001040000-0x00000000010C9000-memory.dmp	upx
behavioral1/files/0x000b000000012021-113.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Syswow64\d95c7453	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	d95c7453
File created	C:\Windows\system32\ \Windows\System32\r9J5CX6A.sys	powercfg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	d95c7453
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	d95c7453

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\28f3b0	d95c7453
File created	C:\Windows\xQSfvuj.sys	powercfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1768	timeout.exe
2004	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	powercfg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	powercfg.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	d95c7453
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	d95c7453
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	d95c7453
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	d95c7453
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	d95c7453
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	d95c7453
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	d95c7453
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	d95c7453
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	d95c7453
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	d95c7453
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	d95c7453

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d95c7453
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d95c7453
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	powercfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powercfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powercfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powercfg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powercfg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	d95c7453
2392	d95c7453
2392	d95c7453
2392	d95c7453
2392	d95c7453
2392	d95c7453
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
2392	d95c7453
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1224	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
Token: SeTcbPrivilege	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
Token: SeDebugPrivilege	2392	d95c7453
Token: SeTcbPrivilege	2392	d95c7453
Token: SeDebugPrivilege	2392	d95c7453
Token: SeDebugPrivilege	1224	Explorer.EXE
Token: SeDebugPrivilege	1224	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
Token: SeDebugPrivilege	2392	d95c7453
Token: SeDebugPrivilege	2764	powercfg.exe
Token: SeDebugPrivilege	2764	powercfg.exe
Token: SeDebugPrivilege	2764	powercfg.exe
Token: SeIncBasePriorityPrivilege	2392	d95c7453
Token: SeDebugPrivilege	2764	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe
2764	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1224	2392	d95c7453	15
PID 2392 wrote to memory of 1224	2392	d95c7453	15
PID 2392 wrote to memory of 1224	2392	d95c7453	15
PID 2392 wrote to memory of 1224	2392	d95c7453	15
PID 2392 wrote to memory of 1224	2392	d95c7453	15
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 1224 wrote to memory of 2764	1224	Explorer.EXE	29
PID 2392 wrote to memory of 420	2392	d95c7453	3
PID 2392 wrote to memory of 420	2392	d95c7453	3
PID 2392 wrote to memory of 420	2392	d95c7453	3
PID 2392 wrote to memory of 420	2392	d95c7453	3
PID 2392 wrote to memory of 420	2392	d95c7453	3
PID 1680 wrote to memory of 1164	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe	32
PID 1680 wrote to memory of 1164	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe	32
PID 1680 wrote to memory of 1164	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe	32
PID 1680 wrote to memory of 1164	1680	95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe	32
PID 1164 wrote to memory of 2004	1164	cmd.exe	34
PID 1164 wrote to memory of 2004	1164	cmd.exe	34
PID 1164 wrote to memory of 2004	1164	cmd.exe	34
PID 1164 wrote to memory of 2004	1164	cmd.exe	34
PID 2392 wrote to memory of 1752	2392	d95c7453	37
PID 2392 wrote to memory of 1752	2392	d95c7453	37
PID 2392 wrote to memory of 1752	2392	d95c7453	37
PID 2392 wrote to memory of 1752	2392	d95c7453	37
PID 1752 wrote to memory of 1768	1752	cmd.exe	38
PID 1752 wrote to memory of 1768	1752	cmd.exe	38
PID 1752 wrote to memory of 1768	1752	cmd.exe	38
PID 1752 wrote to memory of 1768	1752	cmd.exe	38
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15
PID 2764 wrote to memory of 1224	2764	powercfg.exe	15

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe
  "C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\95d338b145f56210124399d4b2b309291075e365cb9ea19665e0eefaa09abb4a.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2004
- C:\ProgramData\powercfg.exe
  "C:\ProgramData\powercfg.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764

C:\Windows\Syswow64\d95c7453
C:\Windows\Syswow64\d95c7453
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\d95c7453"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\powercfg.exe

Filesize
69KB

MD5
f779ee89cd1f679c91ab8848c978f086

SHA1
a2fdcc215c1ab0cb2be8a1d9db5362a6d1b756e9

SHA256
12279d4d2d7f80562f79d4dbcb7b63428e924c30a5e95f45cb0d08001a9cbddc

SHA512
5af862211a8841bd6a205ed6c9a06ab52f393d08a41c94a814f399dda28d20641ee3abbeefecaaba6bf0d0edd83d6ccf72675ca0e40e7d56966a035c3f4bb822

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAD0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\d95c7453

Filesize
2.7MB

MD5
bb5292bc0fab8194c9f29c7b2c7abfa7

SHA1
a765b241f1e3990b88f179ab4ef0b127f387a4a2

SHA256
047c35f2bbc6419a2d3cc340f7b16b7e0ada2fe987d0b594b8b8255d6f4d37b6

SHA512
9a5c23bbd02e89f9c5f9301e1fcec7d7b1469e7635f1517f5e3bd5f33c3810e88243062ced3c2061913f3d100135edfb79b9592fa18ee616eba476dae3d470b0

Download Submit
C:\Windows\Syswow64\d95c7453

Filesize
2.7MB

MD5
bb5292bc0fab8194c9f29c7b2c7abfa7

SHA1
a765b241f1e3990b88f179ab4ef0b127f387a4a2

SHA256
047c35f2bbc6419a2d3cc340f7b16b7e0ada2fe987d0b594b8b8255d6f4d37b6

SHA512
9a5c23bbd02e89f9c5f9301e1fcec7d7b1469e7635f1517f5e3bd5f33c3810e88243062ced3c2061913f3d100135edfb79b9592fa18ee616eba476dae3d470b0

Download Submit
C:\Windows\Temp\TarB2FD.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
\ProgramData\powercfg.exe

Filesize
69KB

MD5
f779ee89cd1f679c91ab8848c978f086

SHA1
a2fdcc215c1ab0cb2be8a1d9db5362a6d1b756e9

SHA256
12279d4d2d7f80562f79d4dbcb7b63428e924c30a5e95f45cb0d08001a9cbddc

SHA512
5af862211a8841bd6a205ed6c9a06ab52f393d08a41c94a814f399dda28d20641ee3abbeefecaaba6bf0d0edd83d6ccf72675ca0e40e7d56966a035c3f4bb822

Download Submit
memory/420-52-0x00000000007F0000-0x0000000000818000-memory.dmp

Filesize
160KB

Download
memory/1224-127-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-154-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-164-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-163-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-26-0x0000000006240000-0x0000000006337000-memory.dmp

Filesize
988KB

Download
memory/1224-162-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-161-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-160-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-143-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-131-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-159-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-142-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-25-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1224-141-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-23-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1224-140-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-21-0x0000000002A70000-0x0000000002A73000-memory.dmp

Filesize
12KB

Download
memory/1224-99-0x0000000006240000-0x0000000006337000-memory.dmp

Filesize
988KB

Download
memory/1224-139-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-129-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-158-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-138-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-157-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-156-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-155-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-144-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-153-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-152-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-151-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-150-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-149-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-148-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-125-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-137-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-147-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-128-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-146-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-130-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-145-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-132-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-133-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-134-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-135-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1224-136-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1680-0-0x0000000000C50000-0x0000000000CD9000-memory.dmp

Filesize
548KB

Download
memory/1680-53-0x0000000000C50000-0x0000000000CD9000-memory.dmp

Filesize
548KB

Download
memory/1680-46-0x0000000000C50000-0x0000000000CD9000-memory.dmp

Filesize
548KB

Download
memory/2392-3-0x0000000001040000-0x00000000010C9000-memory.dmp

Filesize
548KB

Download
memory/2392-106-0x0000000001040000-0x00000000010C9000-memory.dmp

Filesize
548KB

Download
memory/2392-82-0x0000000001040000-0x00000000010C9000-memory.dmp

Filesize
548KB

Download
memory/2392-49-0x0000000001040000-0x00000000010C9000-memory.dmp

Filesize
548KB

Download
memory/2764-110-0x0000000036F80000-0x0000000036F90000-memory.dmp

Filesize
64KB

Download
memory/2764-47-0x000007FEBDDF0000-0x000007FEBDE00000-memory.dmp

Filesize
64KB

Download
memory/2764-30-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2764-126-0x0000000001F00000-0x0000000001F10000-memory.dmp

Filesize
64KB

Download
memory/2764-124-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2764-122-0x0000000003790000-0x0000000003830000-memory.dmp

Filesize
640KB

Download
memory/2764-121-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2764-119-0x0000000003790000-0x0000000003830000-memory.dmp

Filesize
640KB

Download
memory/2764-120-0x0000000001F20000-0x0000000001F2F000-memory.dmp

Filesize
60KB

Download
memory/2764-118-0x00000000007E0000-0x00000000007E3000-memory.dmp

Filesize
12KB

Download
memory/2764-117-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2764-116-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2764-115-0x0000000000450000-0x000000000051B000-memory.dmp

Filesize
812KB

Download
memory/2764-114-0x0000000000450000-0x000000000051B000-memory.dmp

Filesize
812KB

Download
memory/2764-112-0x00000000007E0000-0x00000000007E3000-memory.dmp

Filesize
12KB

Download
memory/2764-48-0x0000000000450000-0x000000000051B000-memory.dmp

Filesize
812KB

Download
memory/2764-43-0x0000000000450000-0x000000000051B000-memory.dmp

Filesize
812KB

Download
memory/2764-44-0x0000000000450000-0x000000000051B000-memory.dmp

Filesize
812KB

Download
memory/2764-42-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2764-38-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2764-32-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2764-179-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download