ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f

Analysis

max time kernel
39s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
Size

3.2MB
MD5

f4fc2ffcae1f7ca991858761fffad316
SHA1

99f492df73367244d37fbcf00fe66dc3f8723347
SHA256

ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f
SHA512

9854abfc5c7319f1d48088fc819e2a0239c497825d37de8ecd3619e9dc0a10a60b135e5cf6643079878d4e47db7302e7af8fe86ffced2bc451ec8e7360e2e4ae
SSDEEP

49152:Z4vRsZXxdwzKUCamJg14AjJ/txzJgVKTU+ATbOEJa9YEYjIlKpk887iwvq3Y:Z4vm9zswaL14AjJrlrwO9eXwEY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
812	alg.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
2804	fxssvc.exe
456	elevation_service.exe
2752	elevation_service.exe
116	maintenanceservice.exe
1064	msdtc.exe
3048	OSE.EXE
4176	PerceptionSimulationService.exe
3172	perfhost.exe
4804	locator.exe
1820	SensorDataService.exe
3480	snmptrap.exe
3896	spectrum.exe
2180	ssh-agent.exe
788	TieringEngineService.exe
3056	AgentService.exe
1088	vds.exe
3092	vssvc.exe
4448	wbengine.exe
2660	WmiApSrv.exe
4304	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\System32\vds.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f9a4317358f2c5e.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7C5F1F7E-8F11-4C35-98D2-5907B947E9FC}\chrome_installer.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd73d84212d9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5adb44212d9d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1056	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
Token: SeAuditPrivilege	2804	fxssvc.exe
Token: SeRestorePrivilege	788	TieringEngineService.exe
Token: SeManageVolumePrivilege	788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3056	AgentService.exe
Token: SeBackupPrivilege	3092	vssvc.exe
Token: SeRestorePrivilege	3092	vssvc.exe
Token: SeAuditPrivilege	3092	vssvc.exe
Token: SeBackupPrivilege	4448	wbengine.exe
Token: SeRestorePrivilege	4448	wbengine.exe
Token: SeSecurityPrivilege	4448	wbengine.exe
Token: 33	4304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4304	SearchIndexer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1056	ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2712	4304	SearchIndexer.exe	113
PID 4304 wrote to memory of 2712	4304	SearchIndexer.exe	113
PID 4304 wrote to memory of 904	4304	SearchIndexer.exe	115
PID 4304 wrote to memory of 904	4304	SearchIndexer.exe	115

C:\Users\Admin\AppData\Local\Temp\ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe
"C:\Users\Admin\AppData\Local\Temp\ee2d5493690d26cb213f9cebca336680ac8215fdf1f33baa6fa6d8ed9803a40f.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:812

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2192

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2712
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f03add6c4fa9f082e4f3ed855ff95ade

SHA1
302be59436cd8b230b738e56758aa4797f1ce5a2

SHA256
50ee72abf02c60363bc580caa43dd9344ca53069689a07912b8af71b440da323

SHA512
9ea50961c9f759e1391e83dc74b9341a6ce34ce227adeb06d6e959514e6eb9cf46de85e5ec02a1681eaf084f350f10840b067f708758311efd3c0fe8659d2ba0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
e40055f8e12d2c1425418b0fdbae84f3

SHA1
6f37700f4674e3166f554d2d72108bf52f16a69c

SHA256
01b32f3a1542a5917b2ca29f367abeeb6d14bff4a7bf246e209d21771c404b72

SHA512
8378389f3fecb4bc6ce457cfd4ac8ff6c6e7238fc64beaa5954820fbc4988cb7f45002d55cb85351950514179bc46ae01fa37a12d3a7255cedd8227ebe9cb356

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f57312fba99ee97d730f442dc4c008a4

SHA1
3a409bdc5d4f5371ef894a75ca8f2a791d1a46cf

SHA256
086cf4a0ece7684d63f7cb0fcda1023fe1cb385c3367397f6af0f313de032088

SHA512
f9ae5cbf9ec694c220b738bb44d72dcbaec79322512684b7efb2863abca78fd06b4838168df81f45d9da14cb0fdb61a7826ad0748c64857bce0910c90ef40cb3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
faeec18062e375d9bb0df27ea12d3d6d

SHA1
be4099e96f133d25ee8a33ef92319e016ed1df24

SHA256
fad491e9b1491c9d934c071ed33ead8a270aa593ccf2752f380e3ebb88f7e79a

SHA512
0e792cf68db212432ec6dd9eaea16c34919eba5f74f5de131ae5c58f98537e174724dd497648f0e6948fcec659944ad93d7db5d70fa25362e0144fa847f9c1c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
00a37090fe4f2824862e04beabbbb2bb

SHA1
6eeacb431e3e5bc59299cddd4e3c8639946b8575

SHA256
41f39c8e4da414e618eae5bc33b20a5b5f7b975b23fbcd150bcd5460dba39920

SHA512
0d525406c3fbf6ae15ffc27a36da6d90070f4716a8082f07d875586541d608fa22cd96662427acdaff17680a6323dec102b0046f5bafeed616b1da4952a2f606

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
12b4b95ac4c39e929662f68cb8547c0e

SHA1
a5739505a5d2e0b9d9a1c4e755a175172ca1ae23

SHA256
1bab5716464fb2d1a23db9f426ff502b5f41779debf938f8eb493917c36c98e6

SHA512
9655fa8866abf77662a600b4158134b63f15b784ad5f7aa920e1a7ef652e07bce1fab2354cff49babdba90b134c8518bc0c4fbfb3af8c6e95f93ef9b88c8ef0a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ef042f7227377f6c3c54113add1bfa82

SHA1
de2a20596b67bd4ccea403f40d207cc0e75eb8ce

SHA256
050165b14033e6c6c6c8311f2c990a09551e8d6450cee1801211d5dca6ce6e5c

SHA512
d213939810f60ba5f5273f688b55d19e8bf156fe038444e5ef080b4b75d672b59f4ba1da242e127fb11d8bebdd95fa11c76e118adde2c24858bc77516a459308

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d1815b8c2d2e89ba652c1626f0b58ed7

SHA1
de49cf0e616409dbcaa112b60f0190f0f1359d70

SHA256
9bddb4f988f5f1bbbfb2aa4ce90e29b17fa6ae40d20316ffbe536c91e86032e4

SHA512
d974aa6c119790687ed66d0da93571a2d6b787e8abd4485ec231600839aee8a9471b879a7288a8aa6291b758ca23eb76ef186601ae9817755cfe4e34ff07939d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e453cf5c5da1cafd59be7b01d00bea15

SHA1
5b0ab968ab7b2f4b07f45fbf9a9f354ded205940

SHA256
1e97cfe2140029a3296a75750458ecbafff6f70311fb792ee5f2acf1be401862

SHA512
2c27568c994ab009f1d1c962f5ef10a7059747dfcd9f408b7cea794a30d65f6502859391d38c22831e5c24ee83dd487b5a64d7aaa0cc202db74fa8ffa784c237

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
84602e4957bb4138363f6b624fd442a6

SHA1
5253294e6add99347655e9d16bafc581f8424719

SHA256
c0256e58dd679cc5649cc0d7ba7cea208eec0b4658d159892bdc4ab01c85e510

SHA512
79ca1737c282dbc81a809d670e9ec7a8685d46f5b1670e8c38cf5d6c6ac92edb579766c48f4e5f3c09338de8bde700535d67f76c2fccd1e5041171a54ff586da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
84602e4957bb4138363f6b624fd442a6

SHA1
5253294e6add99347655e9d16bafc581f8424719

SHA256
c0256e58dd679cc5649cc0d7ba7cea208eec0b4658d159892bdc4ab01c85e510

SHA512
79ca1737c282dbc81a809d670e9ec7a8685d46f5b1670e8c38cf5d6c6ac92edb579766c48f4e5f3c09338de8bde700535d67f76c2fccd1e5041171a54ff586da

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
681720a09f5528403b7d833db364c824

SHA1
15435ed768597ad175bc65d45a3e69147d1f8fee

SHA256
d298d81ce4d6628fd7849a66ac60144e332e208a676b55c6247490cae7ad2a7a

SHA512
e30fc88be4a77fc3fcec1c1d8cc009e4b52ef607af7cd7d8f865cf193009ec1c577b9eed8069923c58c571332edab7d8faa8dd3775b98a2c2ee4b53cd0350da9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0405a5f939a8dec7293ece4fb630025

SHA1
55d8ed8d1bdbb0adaad93d5e3750adec26befcf8

SHA256
8ced1f813a96e1eaa63470d93901dac9986fd483292853271814de616ede412a

SHA512
b26b159b60c308e6b7f8a1c8d3f2b9cbb2a57548d3cdc1daddd5b2d5f11e4637ca3327ebd59744c272bc245f19936be0896c755e14cc980bd763aa3a21071fe8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fa4d1286801e826cdb7b3b0ed533ee81

SHA1
52a18f01fcee2da667250ecf788b3ffa40bea2ca

SHA256
74bc9b4e453a680a66434c57ec4bc4c85b5b67713a39c3c5fdce0a0bbf23aba8

SHA512
c694b2009f35693bf8336da0d2f9e7862b50d31cdf4d16833c3a0452f6253804dea22aee54d1d93db9d023b8773438703824eb40c6c31e5671c6c9ecaadfd983

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d486e6a11b631a126c69f52ed284ccfd

SHA1
1ba00d1afaf333be924dbf952e1a55a0c80ddca8

SHA256
b5d7c0661f91f6e4160a333110438fa2a0748e156f6bb48e1092f8fd2a8936d7

SHA512
8c0e47808422dfd7b8d0d16363d296c1f486898c45fcdc8ce101add8a8261f92a58fc3c38dc081e9426e1ad5213701ad2de7b80ee68c608c065c2c94cb571262

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dff2f208a389aa4e51757779e40566da

SHA1
3f504b141f69acfe036ea762fc7a2151a43c711e

SHA256
cd34e221f0af0fc797b00685442a077f3f35db3f561e51504799cc4bf7e241da

SHA512
6618b390442e5480bbbd88a3a92ce157bd5278a681b8c4a6519645946e30be87e4fdd2e58107e320653828a2ab3d6706aa00bea26560c6366ca8ec415d807587

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a4de582e6fbc49d5b1d47772c311998d

SHA1
f96a35b5cc12f1f90f7ec9133e877676bb36c007

SHA256
47f3d82f53f306ce54d7a27d46c5604b31912a926a87f849051d5d91edb263c0

SHA512
4d907044a462250071ff854ccfb63f13f0fd0ac5ca376746b54e1614dd73393663af7ad27e6b71bf5bc430212259987d044fbf44c18054c037be3a58e3c130ab

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0385f3ea1e312e76b05435d6716002aa

SHA1
3b5624bdb67cdef153d2823d5b9b3e86c1d0d3ed

SHA256
aa80879eefba48837685244b0eac0b5f37e656d03ee8c68933fc8767d2c4339e

SHA512
6577c5e71e928e263989775ea5d5c08be95254e64164897e563b3ee44b61d7a723c3882ab7e246e9ecbb0386bb0ce51650e01aeb978bca6e3660ea3509b43957

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2868d9d435dc65610b50470cb5899f84

SHA1
e93e59d693e4693fc3417147c573aa01d804bf8f

SHA256
33998191f59f6fd9cfda00486dc842921748e215e46bc1fb268df4f7083fa043

SHA512
e531bb4defc104656ad6063bb0d208811bbddbc6f8d87ae7227946ebffccb629a5d40a80cbc6e6e1d644e42ebd8037e529548bef158332452227107220cb3f4b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2045465d33fed7335cb8bf7f57a85359

SHA1
39020caa92348121d64b2d9930b1822df72e9047

SHA256
4bdb4c0e6c4b9f9fed03b6e40502404e01470623758ffcbd67512eaf2cb8a045

SHA512
8e0adcb707402d31f552b85bc11bf4babafb178e260509e09cf2fbb566661413798dd612f069ab4d9df9c4aef2db58d278db00e5c464688a56311d8f6a17be38

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4edf1b9a3e985d6a2dfdb411b2eef82f

SHA1
2a777d7809b100ed8ff46a613273c8af5e80cdbe

SHA256
4a48cbce6b472845f4fdcea97be914550bda6a443f2119071427a435832c5938

SHA512
dc4bbf6623386e8036263fcb356941739a04edec1004ea7a8bfdb121f459566bbd9d34113fa177cf65b2dd9ef88161bedad08d989d02e32a383aa8f2b38f6f15

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
988bfcb4e4e54ef943b7a9e605f16aff

SHA1
4d7662a0cc8b32cba89c3e98bcf474e8e5c228ab

SHA256
9addc9df502123880cbbc3ac6936ac22e4fea86db3a7168f87f6d6ac892fd8dc

SHA512
5ee66bb4cd0884535e3d8665612cac04013ec0d5ecbd75d6d76fac03165eea8b0abdf6b65a809a3d7c19f4a3e4ade58cd69f9c9e1828b2d671dec55db2a90d42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b601232f1dd24da71513698f5666705d

SHA1
fff3b462721cfa1e101d94e41cccd21a8dc39d78

SHA256
c6fc5dd2070f58ebe8d16777c33fa7b34d7fd6260f1547c776f81d2996b60e95

SHA512
0d7ef92b67fdbe9e46b310672d667bb8eac7eaee7031bcf4757d082db529d6a5db98a057feabcaa0d785671dbb6d6b8920f0ba8b16d68d2a60f469ade9e6abb8

Download Submit
memory/116-89-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/116-82-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/116-96-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/116-83-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/116-94-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/116-90-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/456-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/456-111-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/456-63-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/456-61-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/456-55-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/788-278-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/788-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/788-218-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/812-68-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/812-12-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/812-21-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/812-22-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/812-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1056-0-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1056-62-0x0000000000400000-0x000000000074A000-memory.dmp

Filesize
3.3MB

Download
memory/1056-7-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1056-6-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1056-1-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/1064-106-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1064-99-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1064-163-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1064-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1088-249-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/1088-242-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1820-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1820-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1820-165-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1856-29-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1856-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1856-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1856-81-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1856-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2180-196-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2180-265-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2180-206-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2660-288-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/2660-281-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2752-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2752-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2752-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2752-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2804-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-48-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2804-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-51-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2804-41-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3048-177-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3048-123-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3048-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3056-236-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-231-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3056-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-237-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3092-257-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3092-261-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3172-205-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3172-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3480-239-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3480-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3480-179-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3896-252-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3896-192-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3896-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-127-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4176-135-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4176-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4304-300-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4304-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4448-274-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4448-267-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4804-143-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4804-209-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4804-152-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download