fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
Size

632KB
MD5

6e19ed93b77d42d41b79c3c176a85ee0
SHA1

3118e8b2b411e63883dbc1ebd5b86a8e9982d888
SHA256

fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e
SHA512

9c3c5174073a96a8a42abff0c9f8eb69887d87a0d354a8791daff792a58c69fd5a22a10c5e8cc90c6f40f232184764c8e87159c4d08e01a42f72fd6bad5ec6a7
SSDEEP

12288:a61vvgdFneOSg7vAmbFsBPuDraeXPOZgKbJHK/re7oPMF:a2nuICXKB2DraeXPOZar2JF

Score

8^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
2904	elevation_service.exe
1828	elevation_service.exe
320	maintenanceservice.exe
5108	OSE.EXE
4788	ssh-agent.exe
2204	TrustedInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2891029575-1462575-1165213807-1000\EnableNotifications = "0"	elevation_service.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	elevation_service.exe
File opened (read-only)	\??\E:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\U:	elevation_service.exe
File opened (read-only)	\??\N:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\X:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\P:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\T:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\Z:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\G:	elevation_service.exe
File opened (read-only)	\??\P:	elevation_service.exe
File opened (read-only)	\??\Q:	elevation_service.exe
File opened (read-only)	\??\F:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\O:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\W:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\F:	elevation_service.exe
File opened (read-only)	\??\K:	elevation_service.exe
File opened (read-only)	\??\N:	elevation_service.exe
File opened (read-only)	\??\S:	elevation_service.exe
File opened (read-only)	\??\K:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\H:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\I:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\S:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\U:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\M:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\E:	elevation_service.exe
File opened (read-only)	\??\I:	elevation_service.exe
File opened (read-only)	\??\T:	elevation_service.exe
File opened (read-only)	\??\V:	elevation_service.exe
File opened (read-only)	\??\L:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\Y:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\O:	elevation_service.exe
File opened (read-only)	\??\G:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\J:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\W:	elevation_service.exe
File opened (read-only)	\??\V:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\J:	elevation_service.exe
File opened (read-only)	\??\X:	elevation_service.exe
File opened (read-only)	\??\Y:	elevation_service.exe
File opened (read-only)	\??\Z:	elevation_service.exe
File opened (read-only)	\??\H:	elevation_service.exe
File opened (read-only)	\??\L:	elevation_service.exe
File opened (read-only)	\??\M:	elevation_service.exe
File opened (read-only)	\??\Q:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened (read-only)	\??\R:	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\mphjklbj.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\cdeplkqf.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\locator.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\ekhhdggh.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\ogbhhdek.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\gfllhkbf.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\alg.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\ijhfdfjd.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\vds.exe	elevation_service.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\system32\openssh\mfiochma.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\bqfeghda.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\locator.exe	elevation_service.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\vds.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	elevation_service.exe
File created	\??\c:\windows\system32\ipajmmdc.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\windows\SysWOW64\qoqkikhj.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\kambaaib.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gmoggjie.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\cgakfigd.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\hpbanfjo.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Internet Explorer\onnmbqjl.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\idddgalc.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\qcogljfn.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\7-Zip\amhadgcp.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ighnagcm.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\eqiodbdg.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\npabkhij.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\llopmkim.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\onakajab.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\apmkaadg.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File created	C:\Program Files\Internet Explorer\bhlnifll.tmp	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	elevation_service.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	elevation_service.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe
2904	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4984	fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
Token: SeTakeOwnershipPrivilege	2904	elevation_service.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	elevation_service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	elevation_service.exe

C:\Users\Admin\AppData\Local\Temp\fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe
"C:\Users\Admin\AppData\Local\Temp\fc45cb15b9b99a536416062e19a241604bb47113b392b82335494204f69e6b7e.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
87688527b9f61723c152e8e905bd0ac8

SHA1
f5e6cbb8a860d5128298b6d1139091896d9dd7cf

SHA256
8487da66a10c7e947c0930f2e85b8bb13ec5d5cc6edbe9755152b45b1987c247

SHA512
b633f4ed21673955f38d9878a11fddeac516de34609908302471cfc6eb37911306ee6bf28cfb7fa0f05a56b9ee9103fc2f3f6322b80591139d530a1340f02b92

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
804KB

MD5
3de6f0cdea8db0f577013d67342b28a1

SHA1
db661d4afc564491c0f7430efb807966805ac1b0

SHA256
9bb4dab219e3f003eb6803d7dc0676c610a1f6ee1fd611e3ad12650a0add6e1c

SHA512
2ddfee8ff836aa69b86cdbef537c0bc95bc579a118626dbb27c73721ad00d80ff24c28e772eabb5f1f74957b2141770563bc2f23b13c6188b63e5da06a9e833f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.0MB

MD5
1512bfc2f008a83dc4cc2f076e8a5aed

SHA1
8857f77fe24766ce4248b2cf79f339e7fa918dd0

SHA256
38fe2393827734da04cc89391a716f51517be0d0dfceda6cce38acb0352785fd

SHA512
a4196110e3eb716d2c0b573da9020c2ae7422894e1adda3841ab5bf5ec5557f16448097208ef6fca2b89bcf8756a72ad1fc091d130725a61dccd0fc8b34e15b6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
3e1a23a2cac92139d51033635e31590c

SHA1
77dcb343a3e114183c86786686168f2d2895b786

SHA256
49d6e97a30e9fdb4379a6a8b53b50655045d464cdb59f5b96b6131c7f114deef

SHA512
1b9bbbeb2b83e8283b945fcfaee1f18977f1f440ba6ebadbfb665a38b770bfce3d25d2bc9a8eaf53b3382353c6c92aab0c81c371d571e4ee33a34f9e17f6cb09

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
dd04a205960299ccd5403d122c51960d

SHA1
0c278c265a247a36dd101cd197f9b26d41632a64

SHA256
7a2cb213989eaba145c870a217e22295b9ff3b0ac10d16b165f4fd2b9fcd0738

SHA512
cf802d1d33355b70ceddbf8a2233516a3efc146981bf9f8af752e4b180cdc035e187f10b2fbcdf65ee2045dac009557f9f5eb4feb7d385df119a203e91e993a8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
591KB

MD5
a253cb577aa87672f7c8487c01534218

SHA1
4729586f97bcf15fcfc9389d2936c684b5ab580a

SHA256
0c2e92b4b35e83fe1b4d67135c79f7177edd4365c3417e2bea61a6b9c3c989f6

SHA512
44bd8c80f175ee0bd0e265bba5f057b369f9bae52a47d5729da80821a83544cc8c230242be32e94d8a4b8a920031e41d0e3da7cc61d50eddb877ba9390313c23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
848KB

MD5
54a36ee6d94eee194de54970604188c3

SHA1
de817e92687d2fda45d8e08d947a85e23a52e785

SHA256
2c7a59dbef2d051f5d5acbaa0db86a41a2b0bbb5a72b27e32f76579473b2e0a3

SHA512
385f02052cb69274f9039d9b3d84e149cd9c9624aed8cd175acf855e16cf49d8be53e10c7c2c08e5f8969219ddab72da0c9c583e261fa858928d6df2c28b5eab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dab9463970c9f46f1d7edb6d8e32c44e

SHA1
74b067f4845365d7f84748eb31540695b4c94dd8

SHA256
e5671e9f912cb32b5bd5e0bb8dd78143600d04a658c0c8c8a2904bfbf971b5d7

SHA512
c875f3c0d4cde890236447787acf909b08b094a3ec9d0d33350dc004e99c207feb54a74a844b70b8b3b117556557d33bbfbe4c3742b1e424c1fddd710991e1e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
918KB

MD5
cd670bf08df21938ff242d2a4dc50f16

SHA1
c38cf55df7422c3fa30586198913d3f7904d7ae5

SHA256
48e1fab7bdf47aff4158e5e5a064db11d56e03b171b0699934ff01ea0867a1bd

SHA512
880c245a124a33c94884ecf6404e576830502493f8810c798bbb098f32fbfd69cfb0834bd7b63138ef5d3b4cdc2be8742b8f8f2950bd5c4f0b3a87640729dd30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
97c60f62b0da73a1b441ad9e0d87afad

SHA1
4c8b1baf31a404a9a69cd220804535e75181589f

SHA256
ef1eeca74f31961f93c1844d5a42fcc26e068d21f4691cde5cd266a9bb5695e9

SHA512
c3dfafef4f2e28fca783a1fab6ca966046bc62d97ed009731ea758e062c7fc45629976a284ac80943b7a737cd938e0514ac4be7bf8b1080cee800dd0cb81846e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
609bdd428868be2f958401b945721bad

SHA1
78888170356d9e268c7372747a11dd5a7af37cbc

SHA256
0361b501c5be4903b723983e7ad2035819043334294c9ed79b0eed9c5f0c1588

SHA512
1c0c14a24dc50cb276a98fbac4bdba82749e1eb226260720b559fbb2022f3c1d2ae66021ee2cd67b5a407d59d7aeac4e82ff98ec52f064b99a3eb50bb72df5e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
813KB

MD5
38ad27985896da00140347f72d70df46

SHA1
d072b919e1abbdbe65839f6ea544a96fe96d28c0

SHA256
f5904377d608a2009f88f40c348681a5f532814065fd10f4fc8eb485fba9ca46

SHA512
daf46081f6db92ab336c5e87f4f2bd0f19b1d1910a305f4e1f0aa505a8421f66bc286e550af8368d325253167ac58b7252983d3d7de3bf17551263e9ca9e65e8

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
a4fb74ba396151ea03ffb5f22240de87

SHA1
7f7c8ddc8327c84d6c918cf27198ac4fa43bf30a

SHA256
85fbbcd4ff8721d22ae6e049e20d07b07288c2ea0ec8c8b0d441e0ca010c510d

SHA512
10174d29270f728f282547faefed9e8ed857a47ca60a6aaa6f4a0be756f8061acd8d0570db7569d14e013526309ef7b2956ab115c288b916886e1ad96fe324d2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
948KB

MD5
9f11a2fadf13a01702caf6c4e8e06fab

SHA1
60f5e130b06f6a53c1c58c62560e888fb2323404

SHA256
0cdae9f5ae5ee3018ef76d7796995ba05910ac03abdd7b8d7108d42a834ad0c6

SHA512
b0b894aa7b2b3d02f484ff7ea9a0e02b6d1b98eb9c9828239ec6e3ca1fc33f68a4994be07be63f91ae8c1c137dd9cad0ce6b2ac4fb60d40892cf61dda8dd7182

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
948KB

MD5
9f11a2fadf13a01702caf6c4e8e06fab

SHA1
60f5e130b06f6a53c1c58c62560e888fb2323404

SHA256
0cdae9f5ae5ee3018ef76d7796995ba05910ac03abdd7b8d7108d42a834ad0c6

SHA512
b0b894aa7b2b3d02f484ff7ea9a0e02b6d1b98eb9c9828239ec6e3ca1fc33f68a4994be07be63f91ae8c1c137dd9cad0ce6b2ac4fb60d40892cf61dda8dd7182

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
c8066adf14fd328578be1deaca64d406

SHA1
f88bb5a69771b69d2422b8204cfc8b207eff4e2e

SHA256
fe9866c0884ade240a5e1438ee3cdd8517dc30a6bece85a9aaa83b476abf1dd9

SHA512
a8feabadbbb7f00e347bf13332cd5ffc0c02067a719d5a812179a73f5aafc4833e4b5c40d18762f07b26a68b61acb2cc7f0c279008e07898672e1d0488a39b27

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
804KB

MD5
3de6f0cdea8db0f577013d67342b28a1

SHA1
db661d4afc564491c0f7430efb807966805ac1b0

SHA256
9bb4dab219e3f003eb6803d7dc0676c610a1f6ee1fd611e3ad12650a0add6e1c

SHA512
2ddfee8ff836aa69b86cdbef537c0bc95bc579a118626dbb27c73721ad00d80ff24c28e772eabb5f1f74957b2141770563bc2f23b13c6188b63e5da06a9e833f

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.5MB

MD5
46ea1250698a4333ac5b0887675a4449

SHA1
a224aa916edffe4d1bc8589c5726613936f9950e

SHA256
78bc570b6e84da0d9476dc940ae8e768c9ba70ae07047a84ba06ab02750a0fd6

SHA512
9b1278f389470e22dfdbe5671eac1710d0d76e710f66dfedc8d80f51d484b1c29e81847174d9eb877e9014131e9a36024d27b9aa44578b4d4eee5b3ea047b0be

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.7MB

MD5
7114b0cf0d1989b1ee5c22d7f19215e8

SHA1
eee463aa44a9e4bd8ae2771c40282ecde70cdb6f

SHA256
f50e0ea74b0318f221f65df1bafca2cc106b5a6077b9af47b39079292c649aed

SHA512
edf5875c9ac9ccc2882eda64157be3a67a2adfc1097ac282c81eb6b2b3a17dbcb27dd469afbd9e24352455ee6ea37ffe21984d45123458d27fb46190f4de6ee0

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.3MB

MD5
d80938583dfb42a152adb5b510531db3

SHA1
519973769523a9156aa19537a3e3ff0299398127

SHA256
a86eddd03477cf7e6f2c799b04b924d95c971704713f11f125df51f96e189818

SHA512
f64c1de5571cb1cc7337329bd6ee20ad9a2c3a3643232b018b29e8b184754884db5179e229c16ad3896660cafdcf4a9932ea05100d69e792b1ec15ef4b8acb0b

Download Submit
\??\c:\windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
8e4080bd4ed5c97906096d6f3509672a

SHA1
a16316b8108b114fcb67109ba9210b3a80a255c9

SHA256
60f36e155082b16fe5c7d68bdafe55517f75cacc6a781ee8793b04fc155023b6

SHA512
95650eb53fe031a19e759fa35439783392d0eafe227826f41cc140897e2caf24d597fea5455313ea8b7f67f5162e805850bea6e659561e6bce7b511e9bff1a39

Download Submit
\??\c:\windows\system32\msdtc.exe

Filesize
720KB

MD5
37e4cc93bb6c3e7cb91ca16c856d3965

SHA1
e14878fedb70ed726d0745d4bc3738664b455d9d

SHA256
c4a382b1d433a42087eaffe9699cb860d0c6860b33771770174b0fc009c4cadc

SHA512
a7bf3469277e26b7587b17eefb8d7b5ee83d36c39ac49dbe0088fc400159d82dd0cf086dd80c774a1f252368a0688e1b22cabb243878f8c24f5f19e7b1cb394e

Download Submit
\??\c:\windows\system32\msiexec.exe

Filesize
643KB

MD5
2b7fa10d3fd5f43438a03bfa46085caf

SHA1
394f8558167e1f78cdfd8167c4f934b05d0207fe

SHA256
64cbdccbcda8649f0357b7aa4d3947e3be7c9a60ae57969f5e70cb95857b0e33

SHA512
686ac10b79c03762c8207b1d3ac3c80a20dc133b59ec3eb2cc83d068c718a85d72b620f19ea4a5b2a3cf5d48fae01b777908789a90c3dc4bf55dace59e67a1d2

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
592KB

MD5
37cd4156e9056515d7614ba248876992

SHA1
5e8acfe03edb8ea28ee44108cda7067747b4fa5b

SHA256
bc4c9b0868d13438ba5ebdc0c1f1a86c067be3998d9b0570ed6a0f34e9f2230c

SHA512
cf4e27bf588fb3b6b04252f2a1c0e5f1cab364c5d8af014d2d75ab76126b26f5e83beb032ed2bf02efb28c2957e0297c0b9bb84ebd916f0bf34604ddd6efafd8

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
2.1MB

MD5
aef7cf8c15b9ada200ba22c03f1a3c52

SHA1
6cc3f044310865ab0e4e8723611ade18cf14d175

SHA256
7fadeb8f9ee61e848fb8d34a44f26aad15ed9bbeb312690834753a8f713361d8

SHA512
a03768bf320d2193efcf3a11ef62d15c1dc9197a59c754e5f15a01a276b6e6d9efccaf1dec27b0f96b6f9c66c1638601ed10142f15cb91cafbf61451ce16597b

Download Submit
memory/320-139-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download
memory/1828-155-0x0000000140000000-0x000000014038D000-memory.dmp

Filesize
3.6MB

Download
memory/1828-137-0x0000000140000000-0x000000014038D000-memory.dmp

Filesize
3.6MB

Download
memory/2904-135-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/2904-154-0x0000000140000000-0x000000014036F000-memory.dmp

Filesize
3.4MB

Download
memory/4788-157-0x0000000140000000-0x0000000140263000-memory.dmp

Filesize
2.4MB

Download
memory/4788-144-0x0000000140000000-0x0000000140263000-memory.dmp

Filesize
2.4MB

Download
memory/4984-132-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/4984-133-0x0000000001000000-0x00000000011D5000-memory.dmp

Filesize
1.8MB

Download
memory/5108-156-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download
memory/5108-141-0x0000000140000000-0x0000000140230000-memory.dmp

Filesize
2.2MB

Download