1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
Size

4.1MB
MD5

7994f7bb21f3b9c9e6d84afb90a80411
SHA1

3812310d00afc536c56182b142eb2c64c959abfb
SHA256

1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730
SHA512

d5d7eebb6cfcfd11ba5fccb3dbb252303f2f26b214986856b5acd079b3fae31f6f244942868af59676aa64dc6a1b15d16dd95d493a6641743a62749244f0826b
SSDEEP

49152:oTGkQO///o5QZuTtS0rQMYOQ+q8CETtTG4QDTGHQw9KFeMV:oKk////oWsM0r1QnSK42KHr0Fe4

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\rU5of0aT.sys	syskey.exe

Deletes itself 1 IoCs

pid	Process
568	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2676	dc811f11
2800	autofmt.exe
2732	syskey.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x00000000010F0000-0x0000000001179000-memory.dmp	upx
behavioral1/files/0x00070000000120e4-2.dat	upx
behavioral1/memory/2676-3-0x0000000000C10000-0x0000000000C99000-memory.dmp	upx
behavioral1/memory/2240-44-0x00000000010F0000-0x0000000001179000-memory.dmp	upx
behavioral1/memory/2676-48-0x0000000000C10000-0x0000000000C99000-memory.dmp	upx
behavioral1/memory/2240-55-0x00000000010F0000-0x0000000001179000-memory.dmp	upx
behavioral1/memory/2676-62-0x0000000000C10000-0x0000000000C99000-memory.dmp	upx
behavioral1/memory/2676-114-0x0000000000C10000-0x0000000000C99000-memory.dmp	upx
behavioral1/files/0x00070000000120e4-116.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Syswow64\dc811f11	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	dc811f11
File created	C:\Windows\system32\ \Windows\System32\gk33a1vO.sys	syskey.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	dc811f11
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	dc811f11

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\2dd068	dc811f11
File created	C:\Windows\Inf\autofmt.exe	Explorer.EXE
File opened for modification	C:\Windows\Inf\autofmt.exe	Explorer.EXE
File created	C:\Windows\von860cZc.sys	syskey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1428	timeout.exe
2252	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	syskey.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	syskey.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dc811f11
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dc811f11
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	dc811f11
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	dc811f11
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	dc811f11
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dc811f11
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	dc811f11
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dc811f11
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	dc811f11
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dc811f11

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	syskey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	syskey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	syskey.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	dc811f11
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dc811f11
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	syskey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	syskey.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	dc811f11
2676	dc811f11
2676	dc811f11
2676	dc811f11
2676	dc811f11
2676	dc811f11
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
2676	dc811f11
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
Token: SeTcbPrivilege	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
Token: SeDebugPrivilege	2676	dc811f11
Token: SeTcbPrivilege	2676	dc811f11
Token: SeDebugPrivilege	2676	dc811f11
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1244	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
Token: SeDebugPrivilege	2676	dc811f11
Token: SeDebugPrivilege	2732	syskey.exe
Token: SeDebugPrivilege	2732	syskey.exe
Token: SeDebugPrivilege	2732	syskey.exe
Token: SeIncBasePriorityPrivilege	2676	dc811f11
Token: SeDebugPrivilege	2732	syskey.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe
2732	syskey.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	syskey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1244	2676	dc811f11	13
PID 2676 wrote to memory of 1244	2676	dc811f11	13
PID 2676 wrote to memory of 1244	2676	dc811f11	13
PID 2676 wrote to memory of 1244	2676	dc811f11	13
PID 2676 wrote to memory of 1244	2676	dc811f11	13
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 1244 wrote to memory of 2732	1244	Explorer.EXE	30
PID 2676 wrote to memory of 424	2676	dc811f11	3
PID 2676 wrote to memory of 424	2676	dc811f11	3
PID 2676 wrote to memory of 424	2676	dc811f11	3
PID 2676 wrote to memory of 424	2676	dc811f11	3
PID 2676 wrote to memory of 424	2676	dc811f11	3
PID 2240 wrote to memory of 568	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe	32
PID 2240 wrote to memory of 568	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe	32
PID 2240 wrote to memory of 568	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe	32
PID 2240 wrote to memory of 568	2240	1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe	32
PID 568 wrote to memory of 1428	568	cmd.exe	34
PID 568 wrote to memory of 1428	568	cmd.exe	34
PID 568 wrote to memory of 1428	568	cmd.exe	34
PID 568 wrote to memory of 1428	568	cmd.exe	34
PID 2676 wrote to memory of 1312	2676	dc811f11	37
PID 2676 wrote to memory of 1312	2676	dc811f11	37
PID 2676 wrote to memory of 1312	2676	dc811f11	37
PID 2676 wrote to memory of 1312	2676	dc811f11	37
PID 1312 wrote to memory of 2252	1312	cmd.exe	39
PID 1312 wrote to memory of 2252	1312	cmd.exe	39
PID 1312 wrote to memory of 2252	1312	cmd.exe	39
PID 1312 wrote to memory of 2252	1312	cmd.exe	39
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13
PID 2732 wrote to memory of 1244	2732	syskey.exe	13

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe
  "C:\Users\Admin\AppData\Local\Temp\1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\1f7111e2a60f4a0dd28752d020170052cd6b2c01834004b88736ef7750ed5730.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1428
- C:\Windows\Inf\autofmt.exe
  "C:\Windows\Inf\autofmt.exe"
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\ProgramData\syskey.exe
  "C:\ProgramData\syskey.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732

C:\Windows\Syswow64\dc811f11
C:\Windows\Syswow64\dc811f11
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\dc811f11"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\syskey.exe

Filesize
33KB

MD5
55524e13938671cbc3006c78647e17b8

SHA1
654def99a7e3cc867fddcfe92af035dadd13b55f

SHA256
d119e8605457e0b26af5b8ffe9fefdaf89864b127bbb7ecdbd73d29b3c12a8a9

SHA512
8672883fbd900b4b1fd9300775d3299c5f51544848a907d68bf593146d81ab9c9dca89c1881611073a686564cf009705cdb73b1af7811caab6a6ed0a5c0a2b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0B2.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\dc811f11

Filesize
4.1MB

MD5
a9cca96993938d895064a48beca917da

SHA1
1140147438d6daded6d2681af99805b230b3e3a5

SHA256
7559421707c60d13b6cf5ff71c74a561ebdb89b0cdecb8ba38937f26fd974a1b

SHA512
ad79c9b0113347b913938da13f710230ac5d43f5c4831cda7b8b109768cb9f754c4c7ce32dee7ad7e80ff8a9e2bbc18f94e7bf1a4b3d0c9c68ebf96f022cb599

Download Submit
C:\Windows\Syswow64\dc811f11

Filesize
4.1MB

MD5
a9cca96993938d895064a48beca917da

SHA1
1140147438d6daded6d2681af99805b230b3e3a5

SHA256
7559421707c60d13b6cf5ff71c74a561ebdb89b0cdecb8ba38937f26fd974a1b

SHA512
ad79c9b0113347b913938da13f710230ac5d43f5c4831cda7b8b109768cb9f754c4c7ce32dee7ad7e80ff8a9e2bbc18f94e7bf1a4b3d0c9c68ebf96f022cb599

Download Submit
C:\Windows\Temp\TarA6DD.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\inf\autofmt.exe

Filesize
746KB

MD5
04fafcaf36632e03b6bfc48275178349

SHA1
41191fd8abc13c88aec5a46281d1082a958ed2ff

SHA256
c45ee812712c7484d3869811af63d6e78ef885054fe702662104bde5635d8a73

SHA512
a251178601db5b53849a7514fc98853720d71e461373e3701289ca9d0c782edf63516bdedc60c17a0d0521db9bfb996a4ffe0d88ddd9ae8c875490bcf47c5f2e

Download Submit
\ProgramData\syskey.exe

Filesize
33KB

MD5
55524e13938671cbc3006c78647e17b8

SHA1
654def99a7e3cc867fddcfe92af035dadd13b55f

SHA256
d119e8605457e0b26af5b8ffe9fefdaf89864b127bbb7ecdbd73d29b3c12a8a9

SHA512
8672883fbd900b4b1fd9300775d3299c5f51544848a907d68bf593146d81ab9c9dca89c1881611073a686564cf009705cdb73b1af7811caab6a6ed0a5c0a2b88

Download Submit
memory/424-54-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/424-52-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download
memory/1244-150-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-152-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-168-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-133-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-166-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-165-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-163-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-164-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-160-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-161-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-26-0x0000000004EF0000-0x0000000004FE7000-memory.dmp

Filesize
988KB

Download
memory/1244-24-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/1244-162-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-159-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-23-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/1244-132-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-158-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-112-0x0000000004EF0000-0x0000000004FE7000-memory.dmp

Filesize
988KB

Download
memory/1244-157-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-156-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-155-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-154-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-153-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-151-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-120-0x000007FEC5810000-0x000007FEC581A000-memory.dmp

Filesize
40KB

Download
memory/1244-119-0x000007FEF61C0000-0x000007FEF6303000-memory.dmp

Filesize
1.3MB

Download
memory/1244-149-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-148-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-147-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-124-0x000007FEF61C0000-0x000007FEF6303000-memory.dmp

Filesize
1.3MB

Download
memory/1244-125-0x000007FEC5810000-0x000007FEC581A000-memory.dmp

Filesize
40KB

Download
memory/1244-145-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-128-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-129-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-130-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-131-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-21-0x0000000002A50000-0x0000000002A53000-memory.dmp

Filesize
12KB

Download
memory/1244-167-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-146-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-136-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-135-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-134-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-138-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-139-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-140-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-141-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-142-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-143-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1244-144-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2240-44-0x00000000010F0000-0x0000000001179000-memory.dmp

Filesize
548KB

Download
memory/2240-55-0x00000000010F0000-0x0000000001179000-memory.dmp

Filesize
548KB

Download
memory/2240-0-0x00000000010F0000-0x0000000001179000-memory.dmp

Filesize
548KB

Download
memory/2676-3-0x0000000000C10000-0x0000000000C99000-memory.dmp

Filesize
548KB

Download
memory/2676-114-0x0000000000C10000-0x0000000000C99000-memory.dmp

Filesize
548KB

Download
memory/2676-48-0x0000000000C10000-0x0000000000C99000-memory.dmp

Filesize
548KB

Download
memory/2676-62-0x0000000000C10000-0x0000000000C99000-memory.dmp

Filesize
548KB

Download
memory/2732-118-0x0000000001E90000-0x0000000001E9F000-memory.dmp

Filesize
60KB

Download
memory/2732-46-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2732-34-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2732-115-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2732-126-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2732-193-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2732-47-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2732-137-0x0000000001EA0000-0x0000000001EB0000-memory.dmp

Filesize
64KB

Download
memory/2732-121-0x0000000003C00000-0x0000000003CA0000-memory.dmp

Filesize
640KB

Download
memory/2732-117-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2732-50-0x0000000001D40000-0x0000000001E0B000-memory.dmp

Filesize
812KB

Download
memory/2732-122-0x0000000003C00000-0x0000000003CA0000-memory.dmp

Filesize
640KB

Download
memory/2732-49-0x000007FEBF440000-0x000007FEBF450000-memory.dmp

Filesize
64KB

Download
memory/2732-110-0x0000000037B20000-0x0000000037B30000-memory.dmp

Filesize
64KB

Download
memory/2732-123-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2732-40-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2732-33-0x0000000000190000-0x0000000000253000-memory.dmp

Filesize
780KB

Download
memory/2732-192-0x0000000003C00000-0x0000000003CA0000-memory.dmp

Filesize
640KB

Download
memory/2732-113-0x0000000000900000-0x0000000000928000-memory.dmp

Filesize
160KB

Download