ff5808ac4b050e10713e9132bd3961c369de9bc8791b827f65d143ffbaf119d5

Analysis

max time kernel
119s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4132cbda66975e8172291aa4d6c4b232.exe
Size

672KB
MD5

4132cbda66975e8172291aa4d6c4b232
SHA1

f2484170990c6846d763d3a7743ee0d7d2e46754
SHA256

ff5808ac4b050e10713e9132bd3961c369de9bc8791b827f65d143ffbaf119d5
SHA512

36d70b773399ceb1a4d1e5f36ec49e74637813a1f9d0a06de96a875e535bb344cfdb8f8d3f2bbf0e885d546b7ce310caee61ba0d8e598c1eb2f93b9eb7fe970b
SSDEEP

12288:QeBNUbTVO86UCHruRdp+WA00SKCpVRwfXXSVUhbxk9e/pJu:QJIUCNd0nKwYvX+UhbW9eM

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
480	Process not Found
2880	alg.exe
2668	aspnet_state.exe
1100	mscorsvw.exe
2524	mscorsvw.exe
788	mscorsvw.exe
792	mscorsvw.exe
1708	mscorsvw.exe
576	mscorsvw.exe

Loads dropped DLL 4 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3470981204-343661084-3367201002-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3470981204-343661084-3367201002-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\M:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\N:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\P:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\R:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\Z:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\Y:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\O:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\X:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\H:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\J:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\U:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\W:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\S:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\G:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\T:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\K:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\E:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\I:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\Q:	4132cbda66975e8172291aa4d6c4b232.exe
File opened (read-only)	\??\V:	4132cbda66975e8172291aa4d6c4b232.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\ohepleni.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File created	\??\c:\windows\system32\inkgngnj.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\keecmbcn.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\pbpmejqm.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\lbipkhoo.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\syswow64\bpgeknfi.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\alg.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\locator.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\bjcfhdfn.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\wbem\hpfnkhdc.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File created	\??\c:\windows\system32\qlekgfam.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\system32\ahpbfboh.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\vds.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\dilpfcbm.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\hjhjcdqb.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\lafjdino.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\immncoil.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\system32\qmepobbn.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	4132cbda66975e8172291aa4d6c4b232.exe

Drops file in Program Files directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\clmaedbq.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\jkgaipki.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\program files (x86)\microsoft office\office14\hofhpaii.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\occlljkq.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\olemadei.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\kgacdccg.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\lkamjdjk.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hhfjjgab.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nnbpngba.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pgildlkb.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\nhmjpmoo.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\program files\windows media player\ohdajbhl.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\jfjkgccl.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ddnfppgh.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\pijgofaf.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\program files\google\chrome\Application\106.0.5249.119\iahlgipm.tmp	alg.exe

Drops file in Windows directory 40 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\bggoinlc.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\iceanbba.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File created	\??\c:\windows\ehome\icfhkdlb.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\dkpinffn.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\haciggjl.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\bgllkmhb.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\fhfhikim.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File created	\??\c:\windows\ehome\lgnlgdqf.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File created	\??\c:\windows\servicing\lphpknpi.tmp	4132cbda66975e8172291aa4d6c4b232.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	4132cbda66975e8172291aa4d6c4b232.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe
2880	alg.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1728	4132cbda66975e8172291aa4d6c4b232.exe
Token: SeTakeOwnershipPrivilege	2880	alg.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe
Token: SeShutdownPrivilege	792	mscorsvw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1708	792	mscorsvw.exe	35
PID 792 wrote to memory of 1708	792	mscorsvw.exe	35
PID 792 wrote to memory of 1708	792	mscorsvw.exe	35
PID 792 wrote to memory of 576	792	mscorsvw.exe	36
PID 792 wrote to memory of 576	792	mscorsvw.exe	36
PID 792 wrote to memory of 576	792	mscorsvw.exe	36

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\4132cbda66975e8172291aa4d6c4b232.exe
"C:\Users\Admin\AppData\Local\Temp\4132cbda66975e8172291aa4d6c4b232.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1100

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 16c -NGENProcess 170 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 16c -NGENProcess 170 -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 1b0 -NGENProcess 190 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 234 -NGENProcess 208 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 238 -NGENProcess 190 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 23c -NGENProcess 220 -Pipe 1b4 -Comment "NGen Worker Process"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 220 -NGENProcess 190 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 248 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 230 -NGENProcess 220 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:2580
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 250 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:1524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 234 -NGENProcess 240 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 240 -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 258 -NGENProcess 250 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 234 -NGENProcess 260 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 168 -NGENProcess 250 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 250 -NGENProcess 25c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 268 -NGENProcess 260 -Pipe 1b0 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 260 -NGENProcess 168 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 25c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 278 -NGENProcess 168 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:964
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 168 -NGENProcess 270 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 254 -NGENProcess 284 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 284 -NGENProcess 268 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 168 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 254 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 28c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  PID:2532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 28c -NGENProcess 190 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 298 -NGENProcess 260 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 254 -NGENProcess 2a0 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 260 -NGENProcess 29c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 260 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 2b0 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 29c -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 29c -NGENProcess 294 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a4 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 280 -NGENProcess 2c0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cdaalmfo\cmd.exe

Filesize
93KB

MD5
9f27886eeccbc4b16e18679bd31fc871

SHA1
5f023cded07639518d0ec7f6e67a69f3b49dc6ee

SHA256
83379c1b1d4994256ca9c2c4433cefd5917700eab5318a7841ef2d65a9720f16

SHA512
5ddf072799fef9d74a84be33a9280fea2ed325e02255aec2b69a12463afb2628fe8e407411fd840fdcb775de90838a9f8ee1f1cd63a77d676a0ca1f1c5f226da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
506KB

MD5
c009d1fb95e590af0a6246701e7d88b7

SHA1
c8c4f8ec6321f47607650cdf47a9b9b25ec72439

SHA256
80d480e53e927d2c011e65608b7c46f854c01a08798387f4664b305f2c5c9615

SHA512
67a462e07c60351c7bcb2284ef503a0a7ac75ae19f04ef5a74a285a3d2a00d22b66994506f95dbfd0d9ee68ffc85aa5e0744878857839179825a7e7ee68bcc7f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
382KB

MD5
0d86c6ef91c8fab396ad21bb3840c6cd

SHA1
15dc0bf9eebaeb6e2756c4f70c475b3489661618

SHA256
01a72691c276595a8fae79bec2f4610f67e0e0b24be3e1bd8da637211110c3eb

SHA512
a3b86422691d291e72692dbb25ebef9b003784e3d8a3f080909f64b3f2322327f82f461caa8ff1f9abfe3ada4e81697e45d9bc690d992d29257ef3ec84640b4c

Download Submit
C:\Windows\System32\alg.exe

Filesize
85KB

MD5
8d25c4eab2114fc1ff9e5912937a97e9

SHA1
a577c8abb996b7e4380e37f7bf77d149dc181098

SHA256
69c53e955dd0d4cfd0ce8867a31afd78de0da62299c562cb98ac0075dbcca02d

SHA512
25e03fb9a28f3fcade38ddc8e56dc972df53aab6f7ceffcfb94e82741af94a9bed4c5a7b549330b7f29a39762202d10b10dbe4a012967cda13fa14d3f0064e41

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

Filesize
534KB

MD5
38985683859696a7fe6645d643639112

SHA1
e35de9d0b067c48e45781dd32f211bd34d896046

SHA256
4dcd4800939443d13a5596b8168b5ff10f84b1e4545043ee9883d7d4715ce057

SHA512
68725c945f80cc1ac765bcb558845047acec377b958bb9dff2d34b4965080a8d456756ad6f499e0529cbe579dd862bfddbb084b4fff504f8411449e404128614

Download Submit
\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

Filesize
381KB

MD5
7aaf92bcb81f6186a9824024b8b1e7ef

SHA1
9f529eb091c8486d359101e33d62d0b5f35e0f87

SHA256
b75b48a018d5dbb22c80f7c0249b886cb4ed193131682d8e9635d1de1499400d

SHA512
ecac8748c00d45fdc9323e1b8f083a91cf322f398b84a07bca462e7cd3205490f0fd8dbf7deb3e2bbd0c93c26e6946615d4dbf099858f00ae55db74f50b436cc

Download Submit
\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
385KB

MD5
22e1664239c307662b0821237a56c461

SHA1
dc35d53cbad9fa2ae139d2b3c5c903c790493340

SHA256
b1dafc88acd32cac6ef42ce0ad2941b1b077a66db1581f4662052fe39bccc381

SHA512
44f0ef135d68b7f11bd84e8075849727625cb32ebac488eb200e739f9bfdb84f523484714d393755eb14f68fafe9605daff8554949b4e3c842bc0807efe9d8fb

Download Submit
memory/576-159-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/576-160-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/576-150-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/576-143-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/792-70-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/792-181-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/792-71-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/940-267-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/940-275-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/940-274-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/940-272-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/1100-34-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1100-41-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1100-33-0x0000000010000000-0x00000000100A4000-memory.dmp

Filesize
656KB

Download
memory/1708-126-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/1708-145-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-123-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/1708-142-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1708-144-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/1728-1-0x000000013FFB0000-0x00000001400B0000-memory.dmp

Filesize
1024KB

Download
memory/1728-0-0x000000013FFB0000-0x00000001400B0000-memory.dmp

Filesize
1024KB

Download
memory/1728-3-0x000000013FFB0000-0x00000001400B0000-memory.dmp

Filesize
1024KB

Download
memory/1728-32-0x000000013FFB0000-0x00000001400B0000-memory.dmp

Filesize
1024KB

Download
memory/2064-309-0x00000000022E0000-0x0000000002360000-memory.dmp

Filesize
512KB

Download
memory/2064-302-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2064-313-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/2064-314-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/2064-305-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2064-306-0x0000000002360000-0x00000000023A8000-memory.dmp

Filesize
288KB

Download
memory/2064-307-0x00000000023B0000-0x00000000023C6000-memory.dmp

Filesize
88KB

Download
memory/2064-304-0x0000000002060000-0x000000000206E000-memory.dmp

Filesize
56KB

Download
memory/2064-308-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2064-300-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2496-290-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2496-286-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2496-282-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2496-288-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2496-284-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2496-285-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

Filesize
9.6MB

Download
memory/2524-50-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2524-57-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2524-49-0x0000000010000000-0x00000000100D1000-memory.dmp

Filesize
836KB

Download
memory/2580-278-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-277-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2580-283-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-279-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/2580-276-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2580-281-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2668-125-0x000000013F9F0000-0x000000013FAB6000-memory.dmp

Filesize
792KB

Download
memory/2668-26-0x000000013F9F0000-0x000000013FAB6000-memory.dmp

Filesize
792KB

Download
memory/2668-25-0x000000013F9F0000-0x000000013FAB6000-memory.dmp

Filesize
792KB

Download
memory/2800-299-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2800-289-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2800-294-0x0000000002070000-0x00000000020F0000-memory.dmp

Filesize
512KB

Download
memory/2800-301-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-296-0x0000000002340000-0x0000000002388000-memory.dmp

Filesize
288KB

Download
memory/2800-293-0x000007FEF40C0000-0x000007FEF4A5D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-295-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2800-297-0x0000000002390000-0x00000000023A6000-memory.dmp

Filesize
88KB

Download
memory/2800-291-0x000000013F980000-0x000000013FA57000-memory.dmp

Filesize
860KB

Download
memory/2800-292-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2880-18-0x00000000FF140000-0x00000000FF20D000-memory.dmp

Filesize
820KB

Download
memory/2880-122-0x00000000FF140000-0x00000000FF20D000-memory.dmp

Filesize
820KB

Download
memory/2880-116-0x00000000FF140000-0x00000000FF20D000-memory.dmp

Filesize
820KB

Download
memory/2880-62-0x00000000FF140000-0x00000000FF20D000-memory.dmp

Filesize
820KB

Download
memory/2880-17-0x00000000FF140000-0x00000000FF20D000-memory.dmp

Filesize
820KB

Download