agenttesla | 1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
Size

1.5MB
MD5

dcc274470fb1b9922215f719d1c4640d
SHA1

f772a0bf9a265426fdf5d3b9249d96a0ad68c834
SHA256

1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495
SHA512

d29d56465e364b6017e933a2cfa6ae79f5ddfc6fde75b452da66cbfb3cb97c662761b7bb785900c63519079949ec10d4806d405b1a11b1a49364c3ce01ad6e0c
SSDEEP

24576:5u+ow/e8f4k3gbD9tysqjnhMgeiCl7G0nehbGZpbD:4+JAxMDmg27RnWGj

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
996	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	server_BTC.exe

Executes dropped EXE 23 IoCs

pid	Process
4588	alg.exe
4880	neworigin.exe
4716	server_BTC.exe
644	elevation_service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
3644	maintenanceservice.exe
4332	OSE.EXE
2828	TrojanAIbot.exe
4188	fxssvc.exe
5004	msdtc.exe
2076	perfhost.exe
3164	locator.exe
3012	SensorDataService.exe
96	snmptrap.exe
368	spectrum.exe
4496	TieringEngineService.exe
996	AgentService.exe
2332	vds.exe
2068	vssvc.exe
1620	wbengine.exe
4472	WmiApSrv.exe
1448	SearchIndexer.exe
3140	TrojanAIbot.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	api.ipify.org

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe
File opened for modification	C:\Windows\system32\msiexec.exe	OSE.EXE
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	OSE.EXE
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	OSE.EXE
File opened for modification	C:\Windows\System32\SensorDataService.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\85557d7059a6bc77.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AppVClient.exe	OSE.EXE
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76921\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76921\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	OSE.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	OSE.EXE
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server_BTC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
796	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adts\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\Hash = "W+oiU1lFK0U="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.crw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice\Hash = "zOOdyMK1ueQ="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice\Hash = "KcZ5NhvYARw="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.avi = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049e8ea396410db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Hash = "DRFDJcxlDkY="	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mp4 = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wm = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mov = "1"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa65fa356410db01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.wmv = "1"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.raw = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4956	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	TrojanAIbot.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4880	neworigin.exe
4880	neworigin.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
644	elevation_service.exe
644	elevation_service.exe
644	elevation_service.exe
644	elevation_service.exe
644	elevation_service.exe
644	elevation_service.exe
644	elevation_service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
1876	DiagnosticsHub.StandardCollector.Service.exe
4332	OSE.EXE
4332	OSE.EXE
4332	OSE.EXE
4332	OSE.EXE
4332	OSE.EXE
4332	OSE.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
608	Process not Found
608	Process not Found

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
Token: SeDebugPrivilege	4880	neworigin.exe
Token: SeDebugPrivilege	4716	server_BTC.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2828	TrojanAIbot.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeTakeOwnershipPrivilege	644	elevation_service.exe
Token: SeAuditPrivilege	4188	fxssvc.exe
Token: SeRestorePrivilege	4496	TieringEngineService.exe
Token: SeManageVolumePrivilege	4496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	996	AgentService.exe
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: SeDebugPrivilege	644	elevation_service.exe
Token: 33	1448	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1448	SearchIndexer.exe
Token: SeDebugPrivilege	1876	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4332	OSE.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	neworigin.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4880	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	75
PID 4924 wrote to memory of 4880	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	75
PID 4924 wrote to memory of 4880	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	75
PID 4924 wrote to memory of 4716	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	76
PID 4924 wrote to memory of 4716	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	76
PID 4924 wrote to memory of 4716	4924	1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe	76
PID 4716 wrote to memory of 996	4716	server_BTC.exe	82
PID 4716 wrote to memory of 996	4716	server_BTC.exe	82
PID 4716 wrote to memory of 996	4716	server_BTC.exe	82
PID 4716 wrote to memory of 4956	4716	server_BTC.exe	83
PID 4716 wrote to memory of 4956	4716	server_BTC.exe	83
PID 4716 wrote to memory of 4956	4716	server_BTC.exe	83
PID 4716 wrote to memory of 2828	4716	server_BTC.exe	86
PID 4716 wrote to memory of 2828	4716	server_BTC.exe	86
PID 4716 wrote to memory of 2828	4716	server_BTC.exe	86
PID 4716 wrote to memory of 1460	4716	server_BTC.exe	87
PID 4716 wrote to memory of 1460	4716	server_BTC.exe	87
PID 4716 wrote to memory of 1460	4716	server_BTC.exe	87
PID 1460 wrote to memory of 796	1460	cmd.exe	89
PID 1460 wrote to memory of 796	1460	cmd.exe	89
PID 1460 wrote to memory of 796	1460	cmd.exe	89
PID 1448 wrote to memory of 4124	1448	SearchIndexer.exe	105
PID 1448 wrote to memory of 4124	1448	SearchIndexer.exe	105
PID 1448 wrote to memory of 4960	1448	SearchIndexer.exe	106
PID 1448 wrote to memory of 4960	1448	SearchIndexer.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
"C:\Users\Admin\AppData\Local\Temp\1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\neworigin.exe
  "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
  "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 22:37 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4956
- - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
    "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6DAE.tmp.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 6
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:796

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TapiSrv
1⤵
PID:3596

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3012

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:96

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4124
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 780 784 792 8192 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4960

C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
29a2bb8dfb106e8653483fa58e5e0bcd

SHA1
6ad2fbca7669365d7467be9eab402960880d57ee

SHA256
7cc85009662fbb993aa4fe90496bb064bf4f7c3ededc1b7ad5b221e506e56f84

SHA512
8c9ec0ae46175ac5c9451d37db80bfdae71e88f5bddbcf1c18a53b569b59d845201a03a0ca1a0d8f6a236bfa960caf737270b9955ca431e1910fe686502146fd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
1fdb22d0edf283ce9e7c94fcdb7e384b

SHA1
222608411570438e4ef83a82d04202e9ac3e25a9

SHA256
b38d4cc1c513785ca5d495b8b276e447cade1e5f3edb9fd916cdf43618bda6b6

SHA512
4f3abc585b48c464c34a56e76a8baa9c18d06cd08ad05de25820d9e9cc42fc8bb12867290ba4b803708cc84a103c2c395d355fb460ddd62378e2ec512b7c1ceb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
57c1f76840f5ba9cb6a2c6204094ade7

SHA1
ebe064aa896fa56e7f8f028ca82f3b46f1bbc43c

SHA256
fb4223a44f55d78eadace0e9e48fed946b31239537c6414353bc8463419dbbd3

SHA512
d7b5a462f9a2f209355a605268b40e8eed56ca52d028548a82fd54496e34eadcae726a21f667d22a87da28f8154a3e224850f42ffbefab50cf5d271b8ba61327

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4559b5fc3389232797410d9a2823476a

SHA1
56e912b985951580a81f1bdbd2d906a2b3c48ec1

SHA256
821ce1795c842d006655dd7fe71a54fecb62501df96379717d1abdb777cd311a

SHA512
1d4744acfcc1ca5c6ac2ea449aa1e89568cc2cdaaa6bf509f7a719def3b103e0292271ee27f452849037f16b286f390a0df07b67d3172c50ebbe93076db1fb64

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
3a5d581bf58015ae6e353c51b64cbe7f

SHA1
212fb841fbff2a818945e65c10e8da1cd2230091

SHA256
825f5148241518c3e02377f2c6523c32fbd39e4359d0b1ed21663b45e257095b

SHA512
ab74fbc35a2e1d2f4c483981c024b6410bf174301bd02f497a37e062fb7ac4d4276efb06a192caa1a39b8678217dd79c173bb5fc13f28410e7093f5adbf47442

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
89a9a8dd28d10b6732dc5198936c14c6

SHA1
72d6d0a4359b3f36ca81ac48e1174a18aaa9f7bc

SHA256
5615954d31a3300c10c8d77172d273233aefa5f4eb3a74b51a541a151740ee4b

SHA512
e0f9e6f171be8f8fba77b5fffc6a971405e486df44512f7e74a30c62b591663908d781f29832782e5b3e5f3b15044a17a62fe3fdf67d0f8879bcd194d457a2ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
09f71f5688088163fb989d589bd371f8

SHA1
4db44ad2b5eae2d210d8e4954b39b216544b8b23

SHA256
75a0c06524ae31b87d45715d22c4bc640bfebd7951b8100ae5aea5d6ae95d7c3

SHA512
24ed062eed37da7bff8bbf822d7174baa0697fa0c841a720810787f75431af2263a788f06d339147781352a05de47489ad107a72003d0f121dc7d60527c569eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
1d0a57ae04c4bc5df352ef60e67f2594

SHA1
6e670f7bb590ecaf419fe93247380d96cbc636d3

SHA256
5a39aea2c302238037ba5a3677fd4ec453ae32bf1cd49384e01c271671e45937

SHA512
14eee0a23e57eece554fd25a75a4d7ee7ae2ad0d370fd362f50a96878c0933c3d109f65c009bfb9b4494db605fa3e26dd917acbfefbd896d227781de6b39256b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6924f2475447ed8bad48d93ba63fe563

SHA1
68c8367353e7d4b8b7423ee9e787a56607ccb2df

SHA256
1f4a9eb583a526e6750f8e29243cc67a89796613b3811861be4d056d3dedf62c

SHA512
b7a67d26a62a5a14d50235f5c8160452b3c123417ed1149a2fd27b6cbd910c5bde973ffb96cd801059140135a20fafd2ba9e57773b8b83cd03ad1ff85486fd72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
83116d55dad5611d2393fe287e3bf431

SHA1
d66c642398c40ea3a4ebdb078e0798aa280ffffe

SHA256
38214d077952b8de341666e3ae81fc745944e5a4e29de355e622438fc4588ffc

SHA512
79925199c91c0852382cd57d6fa76aabe4b82424a5ccf25c6e68dfde0c06670fd614e7dcf77f48bcd0312069d4f785de4fca40e930a0538ee60d0abd0c56c561

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
34f14905118a632cdb8687d7b70f52cb

SHA1
fda9699d9645b8ad82323b56efdad95a60209322

SHA256
6125e658a8ed0356dc96b8bd4abffa7ed7d624c878074cc8900ae431db41aa7f

SHA512
92254cf1e51a5e9eaac32f2efb9b9e0c8d0692749af01e8cab5614e2b77fe7b577a255ff2040544fbedc8e35bd7f41ade7e399bb049d8341627f84ffeaa69855

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
ac15b07aa307fa56fa5f5ca982eddd66

SHA1
b7353ab1adfd5e1b725b7e4a4953267e481bee87

SHA256
1dcee774d93988acf200a0041e78fb2305839bf2d3f5aeaa67eaa781e15790cf

SHA512
8e70a59f6c117dee407e9bc260f02ae73d4b36b391c4a428acd15201c2875a23f3624e64e6629bb1bbbb8b73391ff84818a288a6385b1c6cac548b786ae10846

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
a5c0bd397b21eefe5ca69d61a524ceae

SHA1
5577b14ec0133366cfdc5e4e402c76c42cb82906

SHA256
c14786dfe96356027a048ba7a7ac0befa1cd8527f41d4383e09f6a0d20e912e1

SHA512
ddd0ace3237011ea5a810b7b288b4d1c15be76d9425e4811ab60536575b2395fdf3c6b75ef7db69ed6c0b8cbf1d074897dee3cb0a06b02f076a246501fc15f54

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
51c6df61f998cb0a674795e74d7ada59

SHA1
56ac21586e9e853acaab609d1ff84e62c0576995

SHA256
ab1a3c78cc0924bb9b3699ec637ece2931e905e4445da8fd2ea0758f9bea2e38

SHA512
d68b53bfd3b39533d238fb2d3a9e233c3e4d09557a93e191fb751f5758d967a0a57248bd0418a1cdc930f15340177efee627ce500df8268f1234f8507b73f4f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
674134de20cb50f94d6e5b1b054be540

SHA1
2bcbc8d8fff3a371c8e85cee99c0f88920440679

SHA256
0b0e0e76c4216e3dbb7c6eb02e172b9c5321895c140fd8d7e56f892990184cdd

SHA512
c6e0aa8aa8310412c2b49969f97b8e21810559d43d05ab252b045850c2bc41abb47c6611e4b4b6c92b1b3903faad50f4893d5593744d46ede10120c85cf92ad6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f87b216c97cc084035e21ed43cd9bf54

SHA1
e3daa89976b65ae996f8d1574243a69aea290347

SHA256
fc0b807343f63c79ea5605232e92914aae5cfbc4755a4b40cc1c242e2a806c2e

SHA512
db60a94279b5450f438eb694609cac23c118825f3d4693738095768c58be0324eefeeebf1c08fe4bf4ea298defe471ef00f1fc9c5710d78d5fecb4ab27c6e43f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
be1ec6e1b3a6128b8af9cefe0fcc1f13

SHA1
78acd30a14765db93dd20264094d0ce08438e565

SHA256
f6ca506bea838d76daa9f0ba7a6c0cf4814b285f1cbabd3d949f16fea22e695f

SHA512
80a569423da741639644397f9a0b4a3b775667a4c632b044efce25e597e8c17cd273d23e7a8efac67ddccb90d16182d3234cef78afd85ac13265075a14ee329b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
94052d40564f286285c781f23c619cc5

SHA1
68085cb2e22b66860e8b8b09cd6ed866dddb53ee

SHA256
7f4855f29c3904017e21c45fd46757c2fd184dca4597060f9e19dd2590150814

SHA512
9f8e855361ef561c0c365dac53928555b20c3510267114130525bb417e66a750ba7abc5036a208ede730f34a434836ada290c86d7d729276fba938bc216eb356

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3e6096cf0ae6d7744f81e39de288987a

SHA1
17452e2cd450e989994c5954170433ed40301b93

SHA256
9c24a5496542816a6c19182760a70fadbdc5028b59c0343026d8541dc433816b

SHA512
c9774cd8eda338b1ee1562508445f90ac43c68cc100a07cc8d209bea68f3187e4879d435cceff1f42690933277d6660b6f64fa0041fb1603600385bf51219887

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
140e45c8e45594bc95ded460a1bb5a05

SHA1
1944f915e01076fb391f4c60380a8a1cb4e66e92

SHA256
907de5a3c8c28120f815ffb32c86e5e7339bcf9712d0fea70a960bb155ad7720

SHA512
5b8d218c3f815fe1fb4d6d672771526cd79cf7400d722471c29d1a724ece70b2a0fcfdad01f56bb2d989a81f8bd96a8de9c5d3af98b0ec4265f418b4f15accfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
e654c15bbe1fdf08d5bcd5972d6cb12d

SHA1
6ccec24d952f83864f8da82bc6a3dcb23b9c4138

SHA256
b190b12779753bd866487e04ccb5067d682ef9be1cf66e1b94a28a7d5614aebd

SHA512
7eb508716e3d8e8c0bea9bbf3ebb698b7a554e18a2ccf1313bb20ff326b007695a78513118225463032852f0b8eed2f0edc5434153d4b102aa680e5eddb36ddb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
bb7760e8a466f94936e12725da584dd4

SHA1
b08fee587fbc2d4cae5ff8d0a980b0007925aecf

SHA256
81a4cfc7032febb09e4f848ca7bc362101ad4e363ae4f9719f471b6ceaf105e5

SHA512
71ad3fcf883edbaa40c1a613fa60c69f211b4231c11a6236eb08576fc03c228f8f58299ee77bef25001eb796d546400701336fd020639dff8dbc9686db5c28e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
8c46bfb0630476fd8337d4e495101774

SHA1
128a2b22d0230badad373dc649ce29099e9395e0

SHA256
f250414dfdceac32b2ecd8689d559879199395668b789fce141900f9b523e65e

SHA512
c8c82435245b4adacd59104d6d57911f99739c57790321cc458363e70a025d7eeddf33bfcc50bfef0e117ceef677291c574f4485411d4d588e175bd9c4d441b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
1bc3206a4e603556a633ef91a2bcb038

SHA1
1cf59b3a2d30304badcd67f7d016e2f4b1869401

SHA256
bd7ff58fdfe2774ecaf1ccfa312f00b9d2d0ce17ae859216d48565e2bbd06bbc

SHA512
1320528c44991ca3ad2e28976aea11c0b0f825534d7bd0656523e2118444d1cf60fab2bd93d616f669bea2da525d75a7df8d390a879df31936306eee68467960

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
aea180a7a685d45cdee8cdc0407b46f1

SHA1
cd4eeaa797a7381b85500b6b114d05e592855e6d

SHA256
a74862b57243a36fb689928cb874017cbc160d138b0c002b27151dbd4200c3e7

SHA512
d006381732fd154cffafcb87da84b008eead9149020bf82f7fea061555403747a9b7e4aff680a7e9c388f7b94f206525bd4581829a3563b376937bc4e5c3a035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
3f6ccea08f45b81432beb3de919ab7ac

SHA1
7e6b22447ec5f90a672e524d9b3107bd3e5c016a

SHA256
26f3e8f8ef1f30cfaf2c4ae7cc9cb83bf2d904b6af4312a7a419fd79a1dcbe83

SHA512
92f497b3c31014e2a8a039e609e44d4735fc96e235763b4f94e3fd9ad5d9e2bec0fabaf9693446934298f8da7875086ba6a7e8507833f35b99fb56548a57f2b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
4f589205bf776bcc2b6bed5ef20c9e1d

SHA1
ef2a261384b63703f3ef412ccd792288419835bf

SHA256
4e7bf63674fa91018088a58495e2c98aa80f78d895db26f4a1935ec7296fff64

SHA512
76a557229e2c59f9696ecf136ba95d860a3be0fc44629beface57190d18a6e53d184475fc689daa6a3bc24bb2c2a786920528b927fadb780b81afd2b64791373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
89c591297775427b72c2a38625c1fb04

SHA1
aa46fe86bb73a3bfa5a1fe3d066cd71cd02a41b3

SHA256
fee8f4751cded14411fed20c7f6f31b2fe8507523da587a67547b045c6ff360f

SHA512
92005aab60f859d004a697bca7a165b80969ef5d8d34a2dfb926c9869a0c396530823628c697025ec134e6dc367eafbddc98f8d7dadc3694eff465aaab2283ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
89ebbd52803fc85b45c93bd4085a6002

SHA1
b4d9670b6ccc453e4c3dad2bfd5be58cbf71084a

SHA256
42b878cc604d041d8e0724eb08ddf46492df899b34b5c0857b8b75caf0083fd3

SHA512
c50123e54539d15b90f99860db3b0afa10c212b76f3701c97c73e3225fa5dc6c57b203ac5ed478798689c5d496e2348c18d5d6721d7440751c1f9e1c15ef6107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
718169e7712ead3d06370b955d37e423

SHA1
2e15510c9df567504a8bfcc4790afb747f2c6783

SHA256
643d00212ba37b741f2aaea2b24b015a0ca07cc14e22d5a7dfb30539727e0800

SHA512
c779a632f696f8ad98ed367ed0a234aea83e6aa111f6776886b8d45e068e6753d35323ce921022ec2c29ec04586fc8caf7d69331d5d77ed0bdd75f2f7258ac22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
2a412d943d19afe8f1c4ef28dc4d5a59

SHA1
9f8aa050b4297ecd04bd68eb4c5ef0ec37776bf0

SHA256
4eda88d9cc35d742cbb1190c4f9a7d4649f65b86693305b640cb82ac5e8bb5a8

SHA512
0113748cd75e40f5cc364297438c588b0f4e7e3e4fe8bc13887e36fe9ef710eb7fc5fafe62250258c510854061700b5a9b54d0a2fd63aff729c121d3fc2e10ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
b19237da7bd382497b4ee0cf40b659ba

SHA1
b2d1603656aa90ddc1e2e2d996740f5160445c43

SHA256
1a093086985132dfbf42bb060170cabf4a21b134514a350b5c4641f8ae55bc2a

SHA512
4b5a6c830f97f61e15622b3df0e5e6175e4d4b776d0e1b0f5fb649076c00327fee99d69586967b9b7adb9fd587aec666ed8467a8a740956952cbf64542ec3b73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
2ea2f681edc93114a4b17ac5846d5ce8

SHA1
4d0799a034181f32b18f64fea97353e58315421c

SHA256
a9419087622a99e96bc04549edf46501b2716f7331b4d5165ede66ce246b84ef

SHA512
b4110c8964f3350ad1c2a8f68c110bfffe348606b201a68876145c5558f6d3e7fcd34e940fe72a1d6f789ff30b89abaf4e2d3599e04d04ca56bfd1f028bd48d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
d8ff995c0bfbf8676e14ec94c03d5ab5

SHA1
83a3334cfcfe7a27c80defbda01b8077a50a7c4b

SHA256
54b75f032cfc0c87414e6a6a6fda9592ce69b378f5f25aa13c3eb57a8ca514cd

SHA512
00f5a0227f23a687e33940d9748b55ed273f9e01314e0a96e1b1782bce9e330bfd87e3f46a2c0a2068ce94e12ca440acbe13b34a851d132384fd672cc68cbbac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
6c7c01af1f31725bfa53d7eda263c337

SHA1
a990ce7fd2ab9ee9b5f821c2991b4993b7524eaa

SHA256
f875e86162bfbd74984970b3d3e3406f49107a6fab628cc5210e4eb2f3a58b3a

SHA512
2a4490aa7b8fb341a7691cc162d7885b186113527f60dc54ce9707c571833a52fd82a2b97efad92a8f7bfe13e3d0683c1988da542e2077f6c2c43c6b287c108c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
4b9b24e66acafde469a637f48887f968

SHA1
9e69ae99b6e858a0af42f9f52ad4066a4f9ecce4

SHA256
b278366fbdf0cbafda21b062fa7601bdf513915fb8f695ab65e30899c1645713

SHA512
2e592a325b2502210b43eb5a8019fbd25eabffb08b8bfd3251fd4280410d2dadb09a7584d5ed0a49f30502fcd0b8623599bf65e962dc9cf189b7de385b451ed3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
644c90076b24005be1b6361b73a977b3

SHA1
125a5e3259b6cb3becc751e01edf536d1ca077ba

SHA256
9432ec3fdbc14441dbc614f2bdbab11d1998bd3072b93aa0fb2627b2c97a85e8

SHA512
42e7de9421b3ea19c5126b551d79acc5f1fbdb23c3a1427227b5fb38e35877e79f3e8b95d7825dfcc0421489ae01522dc6249c610626753a0e371c91199313ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
f934b304ddcddea1b99a01a0971ebdb2

SHA1
367e787d58370f9c789fd038c94b34c4c35320ec

SHA256
1e3e9b83752170a4277d5576f8ac22330723be67c182469ed04a77c938323821

SHA512
abf259f74b470e81d94ed86f0bb9f947d0b7a0518946b81b5c1704c756d8300a8b27c250717dd63a17edb8d9cb61532a5771fbca24dd8ab8a91997caf47233f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
2817034d8db056ce6d6199b5053220e3

SHA1
634d26a45738f0a276f040cb44b71a2a50b18429

SHA256
8aff8ec02553bb3a554f5e270d7163ad142477b25fc6796d02d9b682df41ced6

SHA512
0d8e2ab99c2a51a5835a0712d7e895ad15b38bd910d614788b0ebdfe9309a38301c6ffd29a3e56c8678f8c8ad418d37fe99269143feb4a2b1cbe5973f0cb9636

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oew5usor.qbm.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\neworigin.exe

Filesize
244KB

MD5
d6a4cf0966d24c1ea836ba9a899751e5

SHA1
392d68c000137b8039155df6bb331d643909e7e7

SHA256
dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

SHA512
9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

Download Submit
C:\Users\Admin\AppData\Local\Temp\server_BTC.exe

Filesize
226KB

MD5
50d015016f20da0905fd5b37d7834823

SHA1
6c39c84acf3616a12ae179715a3369c4e3543541

SHA256
36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

SHA512
55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6DAE.tmp.cmd

Filesize
162B

MD5
4d0170cdd3f4939ef910f8955c8a9320

SHA1
2804c2828b4e0836c7d9ea40a379ca8d1bdb0091

SHA256
f52e1a7948c0088f73c8de06338831eaf681b06ba282ded2b243fe2ab0acef6b

SHA512
2837fdc82560a31ce06fec6e6b4bf6edce8c5d26fa9d1386922e87db0bd7c441bfe7b564931b8e62a65f2a3bc3931a340d1c89b3b097bfc390a398df6b0858fa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
1098bb218a12b755c421417def7b9d59

SHA1
83994e51619350632e6d6f2d8b134bf42a31c836

SHA256
2a3fffcc6ea941324a3f8cf1f7c885ad0835631d2346f6a7079371de3359a94c

SHA512
5d47783976bd40bec84efb7bef2f3e0445f46edc5cf2344b98b9860e3c8ae84a2532cb534c3e17b4d3baaff66aca8a151cf47a4026f080129da744dea39d7c09

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7fbc781487ce4b37651dcbcf44e15ebc

SHA1
cc3a06f3f274a9b388bd600a0c0fb80602dc6d32

SHA256
5154b9f55744dfa98fb0f2c9fe621357096a2a5de6c2676ef746d6d97b044d6d

SHA512
9d4731b00b753003ac55dae3ca8fbc79bd1e06998553e7470cbd2cddec6d7938cbd48c38da08753a4b3a32581a3b63365b57a0cdf01068508a3b93ec930631f1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
fca1bd2a2502fb7cf16a8345650d8dd4

SHA1
3454b4eac51e53ed559a8517025b069750053fe7

SHA256
432d4bdfa9d84c74f554209fe328849da16734041bfad2997ed16156a0546de6

SHA512
bf3affb86e991e6fb93df2f95b0ce14d6a3acd7b8f4f666a6d4acae16d8abcdc30bfcd6b06a126a0c5e76db8abb85039a6f28bf8ed8e60ee951586f9bb68110b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
61f3f485e66aeb4fe5924c59c6d93074

SHA1
8ccbe6e0f39757cabc0fc1900185ca39e2187c72

SHA256
1635560d15f6fc7e36c64f8b5141f9ec5485f20a7cf90351e6d70e3c578f40da

SHA512
f9169e9f60737af0b27c9a088b097aaa6e488f06d52dbcb773700a02da6bce03bf2daa5474a25d64d2e8ca75f634bd964cac61c8b4a7b00463633af8513fa374

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
7e153c81d14d3cf7149660cf7602f8f9

SHA1
9fdf5a6ddb34a64e6b52a32cb304bc4cc3bf47de

SHA256
4f0acfc9130ca7cd1210414107321b93c45cb15afdf58ca74660158a1e68bd5f

SHA512
4ce2ab40dceb0e000ceef4074f37226d90016ce7d071887f26924ca995a217cf23b2f91736868c26fed27efd8a02b036a03a376c521a9497c4bd3f2491a2a278

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4d66a3caeebc4ab5ef9bf348c47a1726

SHA1
334b8f9466ed2b943650a189b9c853883ea448ab

SHA256
431da99bff63118304d2e5a8127341f2efecbd12c93c30b878c49513a642b111

SHA512
1c5d37a828aa0d5ff5cae06d95fb79f0c954c24b39d6fb09e42efd94ca2b4a9ffeb24e17ffa5d2ecd0b834820d1bdb307dbdc1100e9d5c561d37f540c41ee874

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
977d0c119941b0058a49c5af193fcedd

SHA1
123673d99604f81a3b51fd4db24254e13f26a90b

SHA256
0c31d056bd90c60da3a8cc25575a982a72df7c0dcf4a69182e1eadfe7bd8a0ae

SHA512
ffba034c4902ce19cec4ad6e40b3d077687fa6c745d52572fba022b0e26fd0cb332499f30addd1441acae77c85b510404108edebcccfa49569490e355fbcae59

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ab808003e30b80eed43d46ffbcee80ed

SHA1
a63ed6ffc062ebc68dd36833b3389b78c1fb2fa0

SHA256
0486b060b05a07c673b3d8a2169ce057ea0a63a07af86c0fdc38009da416a76e

SHA512
0068cd1d331de806c8b5f9f4eb571055daf0c21cb58eaa3c242f29d442cad0420f91d138b753c437365f51fb88743d9810a3f5875cba9b38f8b97ad5dcd01c8b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
5e7da08982aa8c3db36d551cd76de3df

SHA1
a51dcdea106ae7468c0bfb189df6d97aadee0736

SHA256
487f78797644bd7207aa19da29f6b5e577509b260e994f463b9d4215a72c9b3d

SHA512
718d0882b5a039869abea5b6e1c229c232e48b58a7c6e9a9183a5c868707dea92aa61d560a8d70541b798dbb36a18bc38386060d0834c34a8b5a6d467c4a3740

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
be4821c2805f55bbc44c396473b361cc

SHA1
b82f5735a9c0b74bf0a882f8a61fba334c8c17d7

SHA256
52a1f483534c555dcfba646064c125ce3bcedb38f2ea63c23e90ce05375ab974

SHA512
f388d02317b3fa36a7490602aa81cc84598720eded2a5d5b3c067abdc1143307c8aaa96c8887869ee5358cdac0edd05f79148cfaecc8aeb85bb48ccb772839fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c0fea86b333d082baf68056f7baddba4

SHA1
da56a9daaf01cdb5ce5b4e8bd5b94683c903d754

SHA256
5c42410a817e9b69b4eaeaf9182adede54dda654ca732c7add64b26b6a231423

SHA512
7a089370a773ab990ad0c35eeae1830c48bf0e64468ee4cf8b763749cfc3a04376a2cc58eedf2fbb4522203dab267080c486e248e64ce0d53bbc5e30ed6ca5f9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
45e5ba9647b84d482f3d463fbf19d205

SHA1
fb3c2d179aae8cf53a709b602f34740af55dc9c1

SHA256
aab5626a79ae37dbc16085f30a6ebde356701da959d78a693bf26a817ba6ee37

SHA512
39045f8a388d33943b89e12d3d28e1966a497f45862a1bf7035c8582302a516300aaba71c5ef4644ce161bf5142dbc43fca87a2bdcacbc63b78b4606574f65bc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
fb3cf4b4729c6ef97a4965bd48979ef6

SHA1
ef08fb39161d9943e773f17d6923c22d38f202a9

SHA256
4e63c22a2f699796fd21fb9cf84dd7dc4ab94d9f44769dd9b819eaf0eb4f671d

SHA512
349a78dfeac2c4be1b544d7d5a802bea146b0a92b37f857b5d8198d3bcc2cea2367f481f48a078d62fed350c3a98ea99c51b69ab4696af9ce47e9240787e959c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.2MB

MD5
c0c55f4bc8262063611198b00777feda

SHA1
0bc2d079cd579bf8f885e2653217aa953d1207f3

SHA256
5e79a33f30a356def9e4e4db1c608b87f35add18cda03c2b3bee7b8da6f5161e

SHA512
3166c6f1d0ccfc370ef1f02620f02c5e90e607176e8d230c115017ab292fc54075776d6acbc53fc5f1ca53392a46bf32d12d7714a77df5a1f003a0e128dc3779

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
576a58dee0567fea3d6d94cd6664c964

SHA1
cad5c86795a885bed24c6f2d321de71849e64f9f

SHA256
103229f561e52d14251c60bc6bd95f88e9b91ff9353e15a75b83c7cc102a05df

SHA512
0b5e87ba5a5ea5b497b3b41ba1b621d18762912d93d5095bcbe457af4883a5704d388bd332741cd7f7f3c3040472e09938fdebbdb49cb7ace40a90af4588305e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
47f8c8c6f7a7a6cba26b2301055fa0a0

SHA1
ff1d3b6111915f4ff217f8e336ef70d8093927b5

SHA256
fc2d66c5d7e7e494da48786c796d81f6de21634d0d9fd315d9dcc835c738f860

SHA512
33c4cd5a0ffb69fb1e5126743b1fb4cc4cb3ceacde23b02cab4ada64464972193f6c955db3db7a13d767a18928a36d3986b856b4a8362896b86f3ddc1b0d10d1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.4MB

MD5
0412a75f9041805de4c3464fd43c0fec

SHA1
dce06298dc6c1bf1bd1a7f32ccc32240516acbe6

SHA256
a28bdf4accd511510c900edcc3b48aef0366a746b2ffc236607f13ed889c2190

SHA512
e2eb877297234a9204de42124c03059b89cb1a434110530a47c0868b28af8b6272322ee2152e90b0b2f662a9cdc9417adaf4bb1e33abb702c8b1234a66e6d9f1

Download Submit
memory/96-773-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/96-594-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/368-597-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/368-774-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/644-515-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/644-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/644-43-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/644-49-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/996-136-0x0000000006BD0000-0x00000000071F8000-memory.dmp

Filesize
6.2MB

Download
memory/996-191-0x0000000007AF0000-0x0000000007B3B000-memory.dmp

Filesize
300KB

Download
memory/996-288-0x0000000009040000-0x00000000090D4000-memory.dmp

Filesize
592KB

Download
memory/996-270-0x0000000008E80000-0x0000000008F25000-memory.dmp

Filesize
660KB

Download
memory/996-487-0x0000000008FF0000-0x000000000900A000-memory.dmp

Filesize
104KB

Download
memory/996-264-0x0000000008D10000-0x0000000008D2E000-memory.dmp

Filesize
120KB

Download
memory/996-492-0x0000000008FE0000-0x0000000008FE8000-memory.dmp

Filesize
32KB

Download
memory/996-124-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/996-150-0x0000000007200000-0x0000000007222000-memory.dmp

Filesize
136KB

Download
memory/996-153-0x00000000072A0000-0x0000000007306000-memory.dmp

Filesize
408KB

Download
memory/996-163-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/996-183-0x0000000007600000-0x000000000761C000-memory.dmp

Filesize
112KB

Download
memory/996-263-0x00000000702E0000-0x000000007032B000-memory.dmp

Filesize
300KB

Download
memory/996-262-0x0000000008D50000-0x0000000008D83000-memory.dmp

Filesize
204KB

Download
memory/996-215-0x0000000007C40000-0x0000000007CB6000-memory.dmp

Filesize
472KB

Download
memory/996-619-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/996-631-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/1448-681-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/1448-913-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/1620-884-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1620-664-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/1876-514-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1876-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1876-60-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1876-62-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2068-644-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2068-879-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2076-667-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2076-558-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2332-633-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2332-878-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2828-272-0x0000000006510000-0x000000000651A000-memory.dmp

Filesize
40KB

Download
memory/3012-763-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/3012-877-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/3012-575-0x0000000140000000-0x00000001401DB000-memory.dmp

Filesize
1.9MB

Download
memory/3164-680-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3164-562-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3644-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-61-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3644-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-90-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3644-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4188-536-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4188-530-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4188-524-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4188-523-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4188-549-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4332-78-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4332-518-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4332-84-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4332-87-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4472-887-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4472-668-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4496-779-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4496-616-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4588-20-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4588-501-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4588-12-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/4588-21-0x00000000005C0000-0x0000000000620000-memory.dmp

Filesize
384KB

Download
memory/4716-65-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/4716-38-0x000000007293E000-0x000000007293F000-memory.dmp

Filesize
4KB

Download
memory/4716-74-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/4716-76-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/4880-91-0x0000000004AD0000-0x0000000004B36000-memory.dmp

Filesize
408KB

Download
memory/4880-271-0x00000000060F0000-0x000000000618C000-memory.dmp

Filesize
624KB

Download
memory/4880-64-0x00000000000A0000-0x00000000000E4000-memory.dmp

Filesize
272KB

Download
memory/4880-513-0x0000000072930000-0x000000007301E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-269-0x0000000006000000-0x0000000006050000-memory.dmp

Filesize
320KB

Download
memory/4880-42-0x0000000072930000-0x000000007301E000-memory.dmp

Filesize
6.9MB

Download
memory/4924-1-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/4924-0-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/4924-6-0x0000000000AF0000-0x0000000000B57000-memory.dmp

Filesize
412KB

Download
memory/4924-39-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-535-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5004-655-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5004-538-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download