a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb

Analysis

max time kernel
29s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
Size

1.6MB
MD5

c61cef3c24d43e753cd75db6753869a7
SHA1

2def24061b8855888484c886d9bd6aeb422dce55
SHA256

a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb
SHA512

93718b2c41d7658e9c590e8b10c8756298bf2e39f5c6a68ce994247be879e604c8d4ccb0113d9571b0f8ca8db26e300e2e57850616175bc06beff58a20ff6d99
SSDEEP

24576:B9mmqK5VEjObirx84BdEPAxU3AAmyeGF/fBsahPq5QQs49494:e85Wfl8XzSyDHs+Pq5Q949494

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1920	alg.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
4880	fxssvc.exe
1272	elevation_service.exe
5088	elevation_service.exe
1144	maintenanceservice.exe
2276	msdtc.exe
4868	OSE.EXE
4664	PerceptionSimulationService.exe
4132	perfhost.exe
5060	locator.exe
5000	SensorDataService.exe
3952	snmptrap.exe
3240	spectrum.exe
3252	ssh-agent.exe
2764	TieringEngineService.exe
4360	AgentService.exe
4400	vds.exe
4920	vssvc.exe
4600	wbengine.exe
3344	WmiApSrv.exe
880	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\System32\vds.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9136f7feac07e206.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\locator.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\System32\alg.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063de08a0b4add901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000699119a0b4add901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3396	a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
Token: SeAuditPrivilege	4880	fxssvc.exe
Token: SeRestorePrivilege	2764	TieringEngineService.exe
Token: SeManageVolumePrivilege	2764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4360	AgentService.exe
Token: SeBackupPrivilege	4920	vssvc.exe
Token: SeRestorePrivilege	4920	vssvc.exe
Token: SeAuditPrivilege	4920	vssvc.exe
Token: SeBackupPrivilege	4600	wbengine.exe
Token: SeRestorePrivilege	4600	wbengine.exe
Token: SeSecurityPrivilege	4600	wbengine.exe
Token: 33	880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	880	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1960	880	SearchIndexer.exe	112
PID 880 wrote to memory of 1960	880	SearchIndexer.exe	112
PID 880 wrote to memory of 3272	880	SearchIndexer.exe	113
PID 880 wrote to memory of 3272	880	SearchIndexer.exe	113

C:\Users\Admin\AppData\Local\Temp\a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe
"C:\Users\Admin\AppData\Local\Temp\a4ebefdad343ecd23ef19451287939725b65158b7a2d5eeabb2586ef08ff4ccb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5032

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
69ef79425ab15869f95cd3f572fee484

SHA1
04d3d610f738b61002e5e14adb2aa6a074711083

SHA256
9ec3d9e60897032d0f54573a77f5d527bb00a9e563202b279980163d8c26247e

SHA512
e0479e3f420bc07eebd207ef16d1eb8a21616ef32ed04d6e912dcdbf0573e0423d9d0f2a60866eb1986e1184b83beba82fc957360e7bcfcc59e5616a03ff367a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cff7d18c5678c38da0c6600c4ef38886

SHA1
7ec88b307501e0a18c5e62a80685b2c3df3187ba

SHA256
8f176ab873ccf4793ad9132377029d2c2a692b6202ee657a230ef687b0d5c3b5

SHA512
48c89693b71b6b91218ab3d73a35c67e4d29edd24ca9c280638b5b565f03ecafad712c76895e59769c662e86a8551bef294b33f4e7c8270689e2b27cac66e3f7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ef1782d8879c5cfadd7e7d24ba497059

SHA1
6e0925618ec3db4a2860474929e8910ea9f8d6ba

SHA256
800b3f850f39780824c01a54050ca7759c0a0807b1bdfd0f17b80470f25f0db3

SHA512
3d1196f544e73ff83929f14f4cc3e42145e0908a822d169d458d1a4327decd5019f1904b0545dfab5567e79efcf8325d303809dbca7729f4c349674c0a78a08c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
0f8c862fbefddac4743751c1f127741d

SHA1
674d7057606856fc6559f3a581c2e6a7cdc2ec1f

SHA256
64894daf6ac5618b4fedbb49aea38fce7bec9fe965b42abb54705f528cdb391b

SHA512
4724dd234649db23327d9ae3261009dd1bd4bcc37b9dc1f9c5584c067abcf19b0338571600c5c372bc4ed3d8a9e49db3b7d159a707e63c9b6175627dae4f9b52

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8f25c0dc98d57072914a1387895eb28e

SHA1
dd73ff12b2909e867e2cc19aa94addefadf25af0

SHA256
fade36b26f2addb1311c82d1a8a3b69fd612f8ed16949c95cb6d2b778308b29c

SHA512
87f8041b10610d788d6ffa17ca5214923262a1c64644f94839da244ba65d63abfdf7baadedb4552a0d1baa7b89ceea1439a7e8468e0a516219c9f96af382be86

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
640078f49c3c499014295f34807e3ffc

SHA1
3752ca7f5c1f78aa891f629c371eca049247e1de

SHA256
0406f243815fab7c9a0d28381b7642b1ac5455a6ade30e7770518ac071cefa65

SHA512
fb6647322231197f894797779464a4ed2cb23401a060d02a9649146ca32548daac4344bdda4b5541042047655d6c6e93b9e57e158f5c7bebcb0664b59ccdf66f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3d1c92dcb463abd314ab85dd6950d999

SHA1
c648e8417b209463fd32ee87e056a4b03783f1f2

SHA256
aab50db4df0fde32599566f01aa75e358c32734cd3a08821b57d2e1c50ea6db9

SHA512
d19f433549c30b0227c840724c915488072fc9790ac3847a644831de94a7a73c5830ddba925ed3db3c76023a49d4a949ede42531e1dbbc4c4727a52aec87ad40

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9b377ea121542f29c7e78c5c9555455a

SHA1
e7bce9d26596d9036a89d52e9219d71fae060f2a

SHA256
d534f65df6f34cccb2d128ac3efd40dd7c36f884e2e26ae3b149fdeae3eb9bdd

SHA512
f815d8cd8aa753adf8065219ac5d9ca99811786a6f305be6fab2f983829f07d0359e362c4fafc87a59543795d2ad02f8be275823143e71de47ccc093138b26a5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
78424c8cc5bbc20f4d7c47495b307aaa

SHA1
f7f2d76aedf092ab5772d63acb57d48d383bc060

SHA256
9e3df6d611f1d4b5dce08531b9d7f381884758d53a41d238e1df1a70e641369a

SHA512
ff15e2614f691ea74a3581f7433ce2935ce2c859003ba517b50a304385a78fc4479f992968533986453e66b1a4cd00257641822fdfacbc2fb9ec923c7a6fbfd9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dde2c1694e3e5fb9dbfbdd6f74d37f6b

SHA1
f8248dc5abb3f754396a8b52758045aeef58d843

SHA256
823d253b23df8272b2be973aca652138a691685ac8f655a54775b76368f941ac

SHA512
8443a8ddffbc6750c5bf88213e76b842d0a1978d3332f0f4bc66ce06d3339f77c8e6767ab49580c68db4057ac6caba56b7184fccecd141b079945e140a345219

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dde2c1694e3e5fb9dbfbdd6f74d37f6b

SHA1
f8248dc5abb3f754396a8b52758045aeef58d843

SHA256
823d253b23df8272b2be973aca652138a691685ac8f655a54775b76368f941ac

SHA512
8443a8ddffbc6750c5bf88213e76b842d0a1978d3332f0f4bc66ce06d3339f77c8e6767ab49580c68db4057ac6caba56b7184fccecd141b079945e140a345219

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cde6620dd616f4c95833cfddd0aae25a

SHA1
b322304042e24abbfb4af2335ddb1552e4164d09

SHA256
b17ea6838a47a8a4552a6a47f0e215b3b95a3655b07f7b640938315fbed84b32

SHA512
be5765bd988668f691bfdd91d2f345ac5fd73baea7d362c6cb156842ce6161647fd06b97b44cefc76d6e627e8ef3f9fdddd713b9ae7eefc678e863b707780f97

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
78e9f2be6f985b0b6392828d892eeaea

SHA1
13b230e103478b38429587dad80f4f84232ba88d

SHA256
70d50638a1634b8d5a3d9b35f9544fc621e74380823976f6da15b1dd4f49040e

SHA512
581f4dd698a80e435ec38c9e9f631349083ac3272287672eace697581a9d80fc887c71bebe88f6ea40e3e609d85d12bb598b4cc80925399350b887458115f12e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
68f1dfe738f808847448f9da034f104a

SHA1
be6a511882244645826d9a78fe476b307b7ea534

SHA256
dec357b83da63dc9753a5c38edb8ecc5d7e1c99e87be67d8043a0be92e24b837

SHA512
4e74474623324e0a478b7d917c7e9ac8760eb41bfb9c6e9bb5cadbe704dacb0c544b20e9355a85437d33152c1b1d064324ea55bb158b7f0e89667ff487684b75

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0ae596cf7db4c621dc28fc50e590b1ef

SHA1
f0bea0c3f532208d9ec158d8ce1bf601e3870ae9

SHA256
635b700bbbd2abe15d17dc44da2307e97616eb5b4fd5b389fb6e7215edfac13e

SHA512
32511e70200683aea2d7aec2573b599ed94d393bc4d8ffd04189ca448cfb4c432bc6bc73cbcb2d0dfdc0fad4d05ed5e60d384cd9023b6f38c9fd6f14f078310f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9dc030c114d616d9949432fe76ba2789

SHA1
f4ede0d2d5119bc298843c791b4b96784c075750

SHA256
f23931bfd44c52a190a044623f363ef4f807a3df11cbcd894481f03fe243393f

SHA512
02e6f22ea57c89b799aba476c1e5c88f68498e376fb3bbb587f54cdf02ad6956bf24fdd2a1ebd8cac4cea0b430e7ffb1ff94f81c7a893d13372cb8ad4e3a1ed6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9d53ba0dd228ff738ab7f08749dcc3be

SHA1
dbbb3cd5ae2cf3058c3d445e473327017adf437f

SHA256
cb6052f283e14ebc263a19ae824f7030dccd88f67ef36e8652b3348d14e9a21f

SHA512
01a9db0770de647b043a52931ca2ef84865f9739816c2186a763a15a02e949b3147269e6167ce0938f022cbb78b00b682e833bc358738d0815d35a5147d610cf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
32567bc9c35ecffacdebecb93aa57c5a

SHA1
2b4ef6756b5bbb77b92bfdfaa0028b72fa6577b5

SHA256
9e93dd00fe60b69a9c8726c3689165cb9dc54c11165b7deeb0ada0e968ed9d48

SHA512
908d9a3758eb9420baf3fe9f7581dc20a0cc9bea8e6a5d93fd32058ec353fcbf71da98db9c1e71a7acc3747809ce50ca5add9a9f6fd9b386f3ddf33c39dc5c11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
f96496072282ddac6583891c03741465

SHA1
2a6887fbad9f1fa653893bac52c2d7d6fd938994

SHA256
4057b5b87dde7bde682a0ceb8d7281436b827ee065950ea04ae032454cf7a223

SHA512
278d720344647c07dd04a82e429b4b5bbe114150e482ea540a0e85e6c1fb24eee797afe8f72ef6648b74b7b78e38793d10090ec89b60463b4d04d12531f5b803

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2b5739e4834d6237701df058c1f07157

SHA1
7b1418ff825e9e0e39da5de8e10c0df9e632f5cc

SHA256
b3813fc475e7977bfdfcf2adebef59950bd07a5c22f7b6c16f89a380e4310e9c

SHA512
e754f33994b962e63e500af6793a145406c63ad2df0f314a8c33e47ec5e9c1dae1124a4348e9ab77965300a53a2b7cc84aac14a7da4ba388efbbb099de58043b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8f5eb9d71a65fb09928ca7f71afd96f9

SHA1
e205eedaf13ac9a3936c5c47c3dd1a7ac7419910

SHA256
670b644618232fe065f08788abd2d2bd34f1497b671f13072f813371240c82f1

SHA512
b4e405b4071bd9b56fd027d11bfeee2174e925f4369ec67ebeba44629fc8ab823f781819d0c122048dcef69d68515d78a14411ed2aa3ba27bd6d975b98792350

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a56d50bd9bf20a944a9d93089feec4c8

SHA1
6c4f3de769c4ec164c4428233c1c7414b2429716

SHA256
2a10adeae5a1ca707612092ac686f196232a42fb0339a3a5f78959ff8ed97691

SHA512
af8071aabe66c5e758b3d8a2bb00cf83e88e8c0511d4d6e19a242227a5ef33ab7f8a30032751e7d774792fff75525473a4b42d931410d6cf270ef692ab6134b9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3bfb38052584886e39c94b45f76e999a

SHA1
449a0e3c2925d220657b72608512555b30d50baa

SHA256
c668170145ede1be0732c9024bb28b286afbfa186714500ac3d4267f59b11aad

SHA512
04d220bf85f5c634d1f1b4358f72b79840caaf935ca80819e38849b99110543fef44bfd556e6676bfea59f35bd4efd9c889a94f67cb9e25edf606325707aa480

Download Submit
memory/880-378-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/880-182-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1144-72-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1144-58-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1144-65-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1144-66-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1144-69-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1144-59-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1272-41-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1272-34-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1272-33-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1272-103-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1920-74-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1920-13-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/2276-129-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/2276-75-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/2764-157-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-313-0x0000000140000000-0x000000014018E000-memory.dmp

Filesize
1.6MB

Download
memory/3212-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3212-79-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3212-18-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3212-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3240-139-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3240-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3240-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3252-154-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3252-265-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3252-144-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3344-377-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3344-178-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3396-0-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3396-8-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3396-57-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3396-1-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3952-126-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3952-176-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4132-115-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4132-114-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4132-107-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4132-160-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/4132-108-0x0000000000620000-0x0000000000686000-memory.dmp

Filesize
408KB

Download
memory/4360-161-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4360-163-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4400-345-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4600-363-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4600-174-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4664-102-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4664-95-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4664-152-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/4868-80-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4868-91-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4868-90-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4868-83-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4868-138-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4880-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4880-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4920-169-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4920-362-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5000-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-122-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5060-168-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5060-119-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5088-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5088-46-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5088-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5088-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download