4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 12:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Size

274KB
MD5

b6488e77d3bc7274163aca004defd0f3
SHA1

d9992fdb0d69e199446a107d214200b398122cc5
SHA256

4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d
SHA512

a4bf86b0f08e7bce3a7a06286e7769bb625e1c23b4bf7db8722548faa45958a60fdfe49a8200f5d978c37564a04c1ebb689884f27ef76704ff0e630d8604512b
SSDEEP

6144:ybTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:yPcrfR6ZnOkx2LIa

Score

8^/10

upx vmprotect

Malware Config

Signatures

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\L5bwgoyUbNm.ikt	sxstrace.exe
File created	C:\Windows\System32\drivers\NrCAxTl.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\dssW5Xk1SQU75Z.xxm	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\W1EL3kjm2jjuG2.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\mmqE76krGmgHin.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\7LQXWkScfD7oA.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\yIOZ9KzZBf.eku	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\ZUFlxPiJPBz6uU.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\drivers\2aYswt3UyBG0.owe	sxstrace.exe

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	sxstrace.exe

Loads dropped DLL 7 IoCs

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1212	Explorer.EXE
1180	Dwm.exe
1180	Dwm.exe
1180	Dwm.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1692-0-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-105-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-180-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-289-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-583-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-607-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1692-630-0x0000000000E10000-0x0000000000E9C000-memory.dmp	upx

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1212-551-0x0000000008C10000-0x0000000008EBB000-memory.dmp	vmprotect
behavioral1/memory/1212-553-0x0000000008C10000-0x0000000008EBB000-memory.dmp	vmprotect
behavioral1/memory/1212-637-0x0000000008C10000-0x0000000008EBB000-memory.dmp	vmprotect
behavioral1/files/0x0008000000005b88-695.dat	vmprotect
behavioral1/files/0x0016000000005b88-779.dat	vmprotect
behavioral1/files/0x0024000000005b88-863.dat	vmprotect
behavioral1/files/0x0031000000005b88-947.dat	vmprotect

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MvhtZpF1RsUC.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\HmWp4eKH6K5t7.tmq	sxstrace.exe
File created	C:\Windows\system32\ \Windows\System32\S2293l.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\dPY4TFCM9cW0FK.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\9STzB9u7VC.dys	sxstrace.exe
File opened for modification	C:\Windows\system32\IO4AsXGce1.sys	sxstrace.exe
File opened for modification	C:\Windows\system32\p9LXjxyMm4D.exa	sxstrace.exe
File opened for modification	C:\Windows\system32\jOZBmOwbJJ.sys	sxstrace.exe
File created	C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\vc1TKu2w.cat	sxstrace.exe
File opened for modification	C:\Windows\system32\aj0aePMCsNA6gN.ewk	sxstrace.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\rghgQBwoIKgs56.cyx	sxstrace.exe
File opened for modification	C:\Program Files\Windows Portable Devices\4d5a344c.html	sxstrace.exe
File opened for modification	C:\Program Files\Ug0nhCDkjjmhe.aax	sxstrace.exe
File opened for modification	C:\Program Files\qfE55pcEzbnkNW.sys	sxstrace.exe
File opened for modification	C:\Program Files\y5fmiPu9PBeor.sys	sxstrace.exe
File opened for modification	C:\Program Files (x86)\qHsKDttJrxPAv.sys	sxstrace.exe
File opened for modification	C:\Program Files (x86)\cAE5CFIBUmDc6j.sys	sxstrace.exe
File opened for modification	C:\Program Files (x86)\0ypUUU7NZ6.zun	sxstrace.exe
File opened for modification	C:\Program Files\Windows Portable Devices\3de1c370.js	sxstrace.exe
File opened for modification	C:\Program Files\VideoLAN\manifest.json	Dwm.exe
File opened for modification	C:\Program Files (x86)\UkW3B5WgF0zS.iun	sxstrace.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lib\6c4b1604.js	sxstrace.exe
File opened for modification	C:\Program Files\VideoLAN\4d5a4031.html	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\5cd2b36e.js	Dwm.exe
File opened for modification	C:\Program Files\Windows Defender\5cd267ba.js	Explorer.EXE
File opened for modification	C:\Program Files\VideoLAN\3de1ccf4.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\dcQ95NCNNeQI.sys	sxstrace.exe
File opened for modification	C:\Program Files\vMSVY5j4ZK.sys	sxstrace.exe
File opened for modification	C:\Program Files\Windows Defender\4d5a011b.html	Explorer.EXE
File opened for modification	C:\Program Files\6HfafuZ3ad.sys	sxstrace.exe
File opened for modification	C:\Program Files\Windows Defender\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files\Windows Defender\3de19a7c.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Portable Devices\5cd2a528.js	sxstrace.exe
File opened for modification	C:\Program Files\VideoLAN\lib\6c4b26ab.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\fhuuGhQZkyflJ.sys	sxstrace.exe
File opened for modification	C:\Program Files\4QirpwXPTH3SB.xre	sxstrace.exe
File opened for modification	C:\Program Files (x86)\f1aMRF3NSI.ngn	sxstrace.exe
File opened for modification	C:\Program Files (x86)\RNGfHzNmol.onq	sxstrace.exe
File opened for modification	C:\Program Files\Windows Defender\lib\6c4ace59.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Portable Devices\manifest.json	sxstrace.exe
File opened for modification	C:\Program Files\qv6LHt6cuR2fph.fom	sxstrace.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\err_1692.log	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
File opened for modification	C:\Windows\Y0w4tHf2MRhKoN.sys	sxstrace.exe
File opened for modification	C:\Windows\fRZ9yrQbZNgfxR.rar	sxstrace.exe
File opened for modification	C:\Windows\ullqffHWxImK.hzj	sxstrace.exe
File opened for modification	C:\Windows\2k9sSR6cgn.sys	sxstrace.exe
File opened for modification	C:\Windows\TRtDV8UfG4WmY.sys	sxstrace.exe
File created	C:\Windows\jcC5NBF2r.sys	sxstrace.exe
File opened for modification	C:\Windows\CxjWwyUgKDn.sys	sxstrace.exe
File opened for modification	C:\Windows\Oyarcg2vNMw.ner	sxstrace.exe
File opened for modification	C:\Windows\UhMKuSDRY1F.djn	sxstrace.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
880	timeout.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	sxstrace.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	sxstrace.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
1212	Explorer.EXE
1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe
1636	sxstrace.exe

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Token: SeTcbPrivilege	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Token: SeDebugPrivilege	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeIncBasePriorityPrivilege	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeBackupPrivilege	1636	sxstrace.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeDebugPrivilege	1636	sxstrace.exe
Token: SeDebugPrivilege	1212	Explorer.EXE
Token: SeBackupPrivilege	1212	Explorer.EXE
Token: SeDebugPrivilege	1180	Dwm.exe
Token: SeBackupPrivilege	1180	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1212	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	11
PID 1692 wrote to memory of 1212	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	11
PID 1692 wrote to memory of 1212	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	11
PID 1692 wrote to memory of 1212	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	11
PID 1692 wrote to memory of 1212	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	11
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1212 wrote to memory of 1636	1212	Explorer.EXE	31
PID 1692 wrote to memory of 424	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	5
PID 1692 wrote to memory of 424	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	5
PID 1692 wrote to memory of 424	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	5
PID 1692 wrote to memory of 424	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	5
PID 1692 wrote to memory of 424	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	5
PID 1692 wrote to memory of 2684	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	34
PID 1692 wrote to memory of 2684	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	34
PID 1692 wrote to memory of 2684	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	34
PID 1692 wrote to memory of 2684	1692	4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe	34
PID 2684 wrote to memory of 880	2684	cmd.exe	36
PID 2684 wrote to memory of 880	2684	cmd.exe	36
PID 2684 wrote to memory of 880	2684	cmd.exe	36
PID 2684 wrote to memory of 880	2684	cmd.exe	36
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11
PID 1636 wrote to memory of 1212	1636	sxstrace.exe	11

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe
  "C:\Users\Admin\AppData\Local\Temp\4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\4f90cd232a611cbca937bd921cf29156844643a6e34be1d25733400a50d5c31d.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:880
- C:\ProgramData\Microsoft\sxstrace.exe
  "C:\ProgramData\Microsoft\sxstrace.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\sxstrace.exe

Filesize
34KB

MD5
75a21762cca178e3f3c4b2f31cd31ad4

SHA1
7bf7d5efd8e0bedeac5dd71f58b4586c82a1b757

SHA256
0cb000decca718a40c82e27fad341685d7b2bb5201f276acc9d1a50102a2c477

SHA512
be628b7654f1400565a7b3a9422d63f68c90e8dc95934dfb37132c5f1f9d5705428261a10df9b2972634125bec51c2593b57c9f5219e30a2f4115a19291b315f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
2KB

MD5
6c218603c90291b2c6183446bacc6d24

SHA1
c176d9720155969af72a622148e3b026252b2030

SHA256
5c1043feb6520ff37edc79d057132bd91dae22b3e95e046e2cd3301c763f10f6

SHA512
ee79c04b810e2eeb1468128759194c07cd09485fec219424c863d079b59bdbef691dd876f4b55bf8dc7c8b9b3160d7fa26d9d63cfd6d650a663b9768bd9d6931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
6df4b06a2b6a15932b5c7868fec2b4e3

SHA1
994f6614618c498c74cd061302413c6eba5af058

SHA256
1bc4686beaa67ff6e2a285ca18bec0e7dee6e82d156e634c658a832fe8bdad39

SHA512
5f241f394518572b786f73ac9d470a2dd7703c3cb1dab10a25127d3668ed0a879acf5917d5863c2c75ed9f019540bda8f588730a88e3e4014ef71744d6be5f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
599B

MD5
28e492f8197b3ff70f712623e5ec98d8

SHA1
b0e356b553fca93b87141036fc1bbc15c91bacfd

SHA256
fc6dff80740d08e8386f177486a907108d3c4468c56d6b40d1133e3e4fe2245b

SHA512
30bfc8fd890516919d5331264ab9a874fdac0ee58024f5a961a673bb6cdf9d11b23e8cd921b6d4efae45703a6d00c99b9bbff849b2dcc4b656a0e1c41791c1e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A

Filesize
484B

MD5
06eb91ecb247f71a508cd27d05b09372

SHA1
2de7c059cb911208a2b352d75fba1d5e2946bbe0

SHA256
6c17bb995bd40eb3c31d3928ae633c38317fb1cec3381c655ba2f6895bb909a4

SHA512
15ae105876d33152f36fe790ee03575d4e3434f87820ec2d021ab305c2682699665276cb488f0533e9f89993e0a1b34609283eea205680c672dc11a79e385c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76f83de66264f46c9f705d0950bd5b2f

SHA1
e820547d2f4ae38080b02ba09615356dd0e621f4

SHA256
c19aa5dd728eebb111c5bde6f2585bef98ddafe382a5eb81e7374a4cc714740a

SHA512
d9ec2fee75cccbdb71211296e773ca6741061eced5e5b8aae0f89a6e2f642cba32925d10647451206c76ac47e0da0a2d40ed41339464b52496f7339abbb0d8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e051a1008b1491a83f7f7037fc90147

SHA1
c5b9bfcb5aa9fe4911d021bec6efaa6195e1f55c

SHA256
7ce56a639e798f17ff1b7e1bb268d6f9fec62948ee8f7e4d1e39bf19e338fb15

SHA512
d91c829ec89d63e9be673cc8c8eed9f53be7bcf8fcca01336286538a38fd31136ccbd34674ddb6ea742cea4c5df19d37431fc9c866d55d87356670776783b453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
792efa75c46de34c3195be0b555c7789

SHA1
4716f64b4b4953ec5b273febb8ac34961332be79

SHA256
48b01708077765b1900652ba320493db9d5c8283a9a88e02e370037d608e878c

SHA512
d451fd5882bcd6b0f1b192da0d386d95bee1cf0524c65459e212c0afdfa5273a369ac25b4f8f1bed9cf14eaae09c02039d55f9280b8a3a1dedfd67059309f1de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
25af60e711208274fe4f184f17f2c911

SHA1
40fb505eeb06633841258bf9828c825c9b08d774

SHA256
9143112eb24a1ed8154e2f41240f33c2cf40d15fff89b68c0b1ec26005dbea00

SHA512
79f533e3e18926c4feebbbc1c3329c622aafc1c27191fc4d1b57496c2ef135ae681cf5618862d04570cb7d97f2f92e0276b71920af4642236d1f20690e4c6551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4

Filesize
504B

MD5
d5cae3a856c49e138ae2fcb895b9138b

SHA1
e15c75b3756a5d2dd0b30583aab573f5105b3187

SHA256
4f0c69f217308c13bb7226855dd390237bbb0a719c4e2044458d6ed9aa6e60dc

SHA512
27155b40d9bb7f77a3db79e609d1f0870340a546ae22adc1c190af81801ddce997e638f8fe9dcb9b55f69afc1b4dade036b7f2871828f77d695b4e82462d7115

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E69.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48F7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\2k9sSR6cgn.sys

Filesize
163KB

MD5
fb308676cdc1b3463118d351286d9926

SHA1
f6323abe86588aa563083f4915d5f8f9699bf443

SHA256
71eac95b0e2a730156a7ae13fc063c5ddb25d983c539cfdcae0bf6f3dd149e8b

SHA512
e66bf0dc176244ca90a1fa69dd3853ba32c40b7d2a0daae841733dbe420ff2859cd20bb288dd17dc5b94fe289ecb8a1fa9a7e1e98d5d490d68cf87b1c97e292b

Download Submit
C:\Windows\CxjWwyUgKDn.sys

Filesize
163KB

MD5
40b82b4ff8dfa3a21b031269554f79d9

SHA1
2738019877ac2a227b85332ad044f2356fb8aa81

SHA256
7182451b94f1be0692fbb2220b1e9d0742d91e61943518aee78b56a5262d2cd0

SHA512
f33fe20c87cde2fd0b9bcfc2c264accf1133234c6d2f4b2f397e9a368957d60f8de1876652d9d23be4f7e6eef3385c61431132b7776a3306e9cf54ee336d6491

Download Submit
C:\Windows\TRtDV8UfG4WmY.sys

Filesize
163KB

MD5
31b98d37ff06f1d63f80f30757554576

SHA1
e4c804c956d1e7bcb851f678f56e8b2c09913f0b

SHA256
92a4b7c409807f1c80fd702e31befac751d109fac084d02c8def8f693da387b4

SHA512
ff81c07cac230a6f58bb19b1e46fe092b189d755cf2df670c8b284d3616d9f9db548c78cd46fbf4feabc3add8065bab9f7fef1bc5215b9d01ae5a2c8df74c0fc

Download Submit
C:\Windows\Y0w4tHf2MRhKoN.sys

Filesize
163KB

MD5
f1ab2e90cdb083a075166977d4f7e5bb

SHA1
7b2e0e2c68c8ad32f6e1629aa0d40afc927d487e

SHA256
60a9b0abaabe7c0a0a89615dd7f88a6eed5b767161a7a92b6dad818b4af7a5bd

SHA512
c98dae7d90995b087d1b9b821609ce792341fa07ab17b9f50b6f55daf896e67f6337e1f0f5317b4fcc25940d6939d19cc2eb73e1ed2a49b44a8d805cd2b4172d

Download Submit
memory/424-608-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/424-605-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1180-1059-0x00000000025F0000-0x0000000002712000-memory.dmp

Filesize
1.1MB

Download
memory/1212-1053-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1212-638-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1212-637-0x0000000008C10000-0x0000000008EBB000-memory.dmp

Filesize
2.7MB

Download
memory/1212-670-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1212-1055-0x0000000002B40000-0x0000000002B43000-memory.dmp

Filesize
12KB

Download
memory/1212-558-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1212-553-0x0000000008C10000-0x0000000008EBB000-memory.dmp

Filesize
2.7MB

Download
memory/1212-550-0x00000000029E0000-0x00000000029E3000-memory.dmp

Filesize
12KB

Download
memory/1212-551-0x0000000008C10000-0x0000000008EBB000-memory.dmp

Filesize
2.7MB

Download
memory/1212-548-0x00000000029E0000-0x00000000029E3000-memory.dmp

Filesize
12KB

Download
memory/1212-1057-0x00000000076B0000-0x00000000077D2000-memory.dmp

Filesize
1.1MB

Download
memory/1212-1060-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1636-573-0x0000000001D10000-0x0000000001F9A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-665-0x0000000004870000-0x0000000004992000-memory.dmp

Filesize
1.1MB

Download
memory/1636-1069-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1636-1068-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1636-582-0x0000000001D10000-0x0000000001F9A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-639-0x0000000001D10000-0x0000000001F9A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-649-0x0000000037A60000-0x0000000037A70000-memory.dmp

Filesize
64KB

Download
memory/1636-651-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-652-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-653-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-659-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1636-660-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1636-658-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-657-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-656-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-655-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-654-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-661-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-664-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-563-0x00000000000E0000-0x00000000001E0000-memory.dmp

Filesize
1024KB

Download
memory/1636-666-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1636-667-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-676-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-675-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-677-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-672-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/1636-581-0x000007FEBF510000-0x000007FEBF520000-memory.dmp

Filesize
64KB

Download
memory/1636-579-0x0000000001D10000-0x0000000001F9A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-568-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1636-571-0x0000000001D10000-0x0000000001F9A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-565-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1636-1009-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1692-0-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-607-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-289-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-180-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-105-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-583-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download
memory/1692-630-0x0000000000E10000-0x0000000000E9C000-memory.dmp

Filesize
560KB

Download