3a0c2e14e8e5cc505c1e3c5658ed634525c248080fd8a65a50ed849674b8dda9

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

myfamilytree6.0.0.0x64.msi
Size

5.6MB
MD5

60ddf612e459870989e0e4372dc804e8
SHA1

da34d97ecceced3a86d8126c7d41e365a1eee8ae
SHA256

3a0c2e14e8e5cc505c1e3c5658ed634525c248080fd8a65a50ed849674b8dda9
SHA512

5cee06d3517a83165eb389dddf0caa68eaa29062596c63950bc36a2c4aca2960fed1b69d5cde476da56b70f9dce3cb9b76193d99ebe5199296a11b39c0ad8024
SSDEEP

98304:ngYTA2QiDEdOxUl2ItjZ8x9z+RUl59CfXIgF1/vT6OLLtuXRDf/uSxVcOmUMPm/:nJDDDxUxtt8x9keb7or/XtkRSSxV2rP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
836	MyFamilyTree.exe

Loads dropped DLL 11 IoCs

pid	Process
2588	MsiExec.exe
2588	MsiExec.exe
2588	MsiExec.exe
2588	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
1972	msiexec.exe
1972	msiexec.exe
1208	Process not Found
2588	MsiExec.exe
1208	Process not Found

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2400	msiexec.exe
5	2400	msiexec.exe
7	2400	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	MyFamilyTree.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	MyFamilyTree.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	MyFamilyTree.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	MyFamilyTree.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	MyFamilyTree.exe
File opened (read-only)	\??\H:	MyFamilyTree.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	MyFamilyTree.exe
File opened (read-only)	\??\X:	MyFamilyTree.exe
File opened (read-only)	\??\M:	MyFamilyTree.exe
File opened (read-only)	\??\W:	MyFamilyTree.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MyFamilyTree.exe
File opened (read-only)	\??\L:	MyFamilyTree.exe
File opened (read-only)	\??\Z:	MyFamilyTree.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	MyFamilyTree.exe
File opened (read-only)	\??\N:	MyFamilyTree.exe
File opened (read-only)	\??\O:	MyFamilyTree.exe
File opened (read-only)	\??\V:	MyFamilyTree.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	MyFamilyTree.exe
File opened (read-only)	\??\U:	MyFamilyTree.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	MyFamilyTree.exe
File opened (read-only)	\??\K:	MyFamilyTree.exe
File opened (read-only)	\??\Q:	MyFamilyTree.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\My Family Tree\Documentation\licenses.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\bsd-3-clause.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\cc3.0.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\en-GB\MyFamilyTreeLocalization.resources.dll	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\cc2.0.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\MyFamilyTree.exe.config	msiexec.exe
File created	C:\Program Files\My Family Tree\Plugins\SmartFile.dll	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\cc3.0sa.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\odbl-1.0.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\en-US\OnThisDay-en-US.xml	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\licenses\cc0-1.0.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\MyFamilyTree.exe	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\readme.htm	msiexec.exe
File created	C:\Program Files\My Family Tree\Documentation\eula.htm	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICEA8.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c997.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4426.tmp	msiexec.exe
File created	C:\Windows\Installer\{37046F96-CC52-4ED8-8299-D9A777535AAF}\MyFamilyTree_1.exe	msiexec.exe
File created	C:\Windows\Installer\f76c999.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c997.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c996.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{37046F96-CC52-4ED8-8299-D9A777535AAF}\MyFamilyTree_1.exe	msiexec.exe
File created	C:\Windows\Installer\f76c996.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MyFamilyTree.exe = "8000"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	MyFamilyTree.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.GedFamilyTree.1\CurVer = "MyFamilyTree.GedFamilyTree.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MyFamilyTree.exe\shell\Open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyFamilyTree.1\shell\Open\Command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.familyxs\OpenWithProgIds	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxsFamilyTree.1\shell\ = "Open"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyFamilyTree.1\AppUserModelID = "MyFamilyTreev1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ged\OpenWithProgIds	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.familyxs\Content Type = "application/x-familyxs"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxFamilyTree.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MyFamilyTree.FamilyFamilyTree.1\shell\Open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.GedFamilyTree.1\AppUserModelID = "MyFamilyTreev1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.family	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.familyxs	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Applications\MyFamilyTree.exe\shell\Open\Command\ = "C:\\Program Files\\My Family Tree\\MyFamilyTree.exe \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.familyxs\OpenWithProgIds	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\CurVer = "MyFamilyTree.FamilyxFamilyTree.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyFamilyTree.1\FriendlyTypeName = "Family.Show family file"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.GedFamilyTree.1\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MyFamilyTree.FamilyxFamilyTree.1\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyFamilyTree.1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MyFamilyTree.GedFamilyTree.1\shell\Open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\MyFamilyTree.exe\SupportedTypes	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxFamilyTree.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxFamilyTree.1\AppUserModelID = "MyFamilyTreev1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.GedFamilyTree.1\shell\Open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Applications\MyFamilyTree.exe\shell\Open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\shell\ = "Open"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxsFamilyTree.1\CurVer = "MyFamilyTree.FamilyxFamilyTree.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxFamilyTree.1\AppUserModelID = "MyFamilyTreev1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MyFamilyTree.GedFamilyTree.1\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\PackageCode = "69C31D01EBCDF33489A9A9873B95A0FD"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.ged	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.familyxs\MyFamilyTree.FamilyxsFamilyTree.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxFamilyTree.1\FriendlyTypeName = "My Family Tree familyx file"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyFamilyTree.1\shell\Open\Command\ = "C:\\Program Files\\My Family Tree\\MyFamilyTree.exe \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.familyx\Content Type = "application/x-familyx"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxFamilyTree.1\DefaultIcon\ = "C:\\Program Files\\My Family Tree\\MyFamilyTree.exe,3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\DefaultIcon\ = "C:\\Program Files\\My Family Tree\\MyFamilyTree.exe,6"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MyFamilyTree.FamilyxFamilyTree.1\shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyFamilyTree.1\FriendlyTypeName = "Family.Show family file"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxFamilyTree.1\shell\ = "Open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxsFamilyTree.1\shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.GedFamilyTree.1\shell\Open\Command\ = "C:\\Program Files\\My Family Tree\\MyFamilyTree.exe \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Applications\MyFamilyTree.exe\SupportedTypes	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\FriendlyTypeName = "My Family Tree secured familyxs file"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxFamilyTree.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.FamilyxsFamilyTree.1\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\shell\Open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyFamilyTree.FamilyxsFamilyTree.1\shell\Open\Command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.family\MyFamilyTree.FamilyFamilyTree.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.familyxs\OpenWithProgIds\MyFamilyTree.FamilyxsFamilyTree.1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\MyFamilyTree.GedFamilyTree.1\shell\ = "Open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Applications\MyFamilyTree.exe\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\69F6407325CC8DE428999D7A7735A5FA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1972	msiexec.exe
1972	msiexec.exe
836	MyFamilyTree.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeCreateTokenPrivilege	2400	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2400	msiexec.exe
Token: SeLockMemoryPrivilege	2400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2400	msiexec.exe
Token: SeMachineAccountPrivilege	2400	msiexec.exe
Token: SeTcbPrivilege	2400	msiexec.exe
Token: SeSecurityPrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeLoadDriverPrivilege	2400	msiexec.exe
Token: SeSystemProfilePrivilege	2400	msiexec.exe
Token: SeSystemtimePrivilege	2400	msiexec.exe
Token: SeProfSingleProcessPrivilege	2400	msiexec.exe
Token: SeIncBasePriorityPrivilege	2400	msiexec.exe
Token: SeCreatePagefilePrivilege	2400	msiexec.exe
Token: SeCreatePermanentPrivilege	2400	msiexec.exe
Token: SeBackupPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeShutdownPrivilege	2400	msiexec.exe
Token: SeDebugPrivilege	2400	msiexec.exe
Token: SeAuditPrivilege	2400	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2400	msiexec.exe
Token: SeChangeNotifyPrivilege	2400	msiexec.exe
Token: SeRemoteShutdownPrivilege	2400	msiexec.exe
Token: SeUndockPrivilege	2400	msiexec.exe
Token: SeSyncAgentPrivilege	2400	msiexec.exe
Token: SeEnableDelegationPrivilege	2400	msiexec.exe
Token: SeManageVolumePrivilege	2400	msiexec.exe
Token: SeImpersonatePrivilege	2400	msiexec.exe
Token: SeCreateGlobalPrivilege	2400	msiexec.exe
Token: SeCreateTokenPrivilege	2400	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2400	msiexec.exe
Token: SeLockMemoryPrivilege	2400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2400	msiexec.exe
Token: SeMachineAccountPrivilege	2400	msiexec.exe
Token: SeTcbPrivilege	2400	msiexec.exe
Token: SeSecurityPrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeLoadDriverPrivilege	2400	msiexec.exe
Token: SeSystemProfilePrivilege	2400	msiexec.exe
Token: SeSystemtimePrivilege	2400	msiexec.exe
Token: SeProfSingleProcessPrivilege	2400	msiexec.exe
Token: SeIncBasePriorityPrivilege	2400	msiexec.exe
Token: SeCreatePagefilePrivilege	2400	msiexec.exe
Token: SeCreatePermanentPrivilege	2400	msiexec.exe
Token: SeBackupPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeShutdownPrivilege	2400	msiexec.exe
Token: SeDebugPrivilege	2400	msiexec.exe
Token: SeAuditPrivilege	2400	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2400	msiexec.exe
Token: SeChangeNotifyPrivilege	2400	msiexec.exe
Token: SeRemoteShutdownPrivilege	2400	msiexec.exe
Token: SeUndockPrivilege	2400	msiexec.exe
Token: SeSyncAgentPrivilege	2400	msiexec.exe
Token: SeEnableDelegationPrivilege	2400	msiexec.exe
Token: SeManageVolumePrivilege	2400	msiexec.exe
Token: SeImpersonatePrivilege	2400	msiexec.exe
Token: SeCreateGlobalPrivilege	2400	msiexec.exe
Token: SeCreateTokenPrivilege	2400	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2400	msiexec.exe
2400	msiexec.exe
836	MyFamilyTree.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
836	MyFamilyTree.exe
836	MyFamilyTree.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2588	1972	msiexec.exe	29
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 1972 wrote to memory of 2980	1972	msiexec.exe	30
PID 2588 wrote to memory of 836	2588	MsiExec.exe	34
PID 2588 wrote to memory of 836	2588	MsiExec.exe	34
PID 2588 wrote to memory of 836	2588	MsiExec.exe	34
PID 2588 wrote to memory of 836	2588	MsiExec.exe	34

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\myfamilytree6.0.0.0x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F324C1D00381D7242E6322A7DCE1B71B C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Program Files\My Family Tree\MyFamilyTree.exe
    "C:\Program Files\My Family Tree\MyFamilyTree.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FCE9A481AD85125E27C14F9CFECE04
  2⤵
  - Loads dropped DLL
  PID:2980

C:\Windows\System32\MsSpellCheckingFacility.exe
"C:\Windows\System32\MsSpellCheckingFacility.exe" -Embedding
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c998.rbs

Filesize
47KB

MD5
5131f265a001ffd56f33225ab5721620

SHA1
80694e075bfa17fa74422a96723b5eb2c50231d0

SHA256
e8c759403b06fa5ed13a17dc55c3c2da5e410a13b727fc0f485517fcb2faae0a

SHA512
0e17dcf4e66121554097b8802ae4ee145963f3161e09054fcacf17b140e654674038b8885cb7b99c4f55c9c06056b5b073637dfb47f0d760199bc38023274792

Download Submit
C:\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
1.1MB

MD5
d0ef1d8eb5b426d09da9a97d74259564

SHA1
f373b22f02a690f9798f0dffc37b39a9db5208c4

SHA256
d77ba237662420cd63e54c8af46cdb1747da260bb25f7ba0dce2371f212e7e2d

SHA512
f547669b0acb135ce63d43f11a040f6c1386370405c4c0a748d44cb8299095242626d45db7feee588ba95fe9c1011b6556af8146ca1ef17bf588340247cbefc6

Download Submit
C:\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
65KB

MD5
c3ba51ffbd2119e052e964086f6ce480

SHA1
01287136e77c7c71c0f6593ce22771e48b88dcec

SHA256
34f2b7f224107ad15361961c3f59cbd19bb46511d61feb15b3d4e34118fa236e

SHA512
1daf6d14ccc8c5d2d6422c0553dc094c41bfb1a468214de2549dad5c52aa49d0279a62e34fccb853a3fdac8728012c29c76a37bbef1bfa3ea8f4d460ecdf392a

Download Submit
C:\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
500KB

MD5
96deb0a792b152575a90cdc28d717907

SHA1
c4fb9368a6c3c7fd7732716f9a473c2981ff7c89

SHA256
b933141e8e91459cfd3d8e69bbda579bc8f5166f3b8b3cdc868e436e79be0f56

SHA512
9e51761630c3b2fe6244ca00fb3e293fedb80592e5e5fbfc86aae7914a604ca9d545ad7fcd88235e34f75930c99204eb25e3d30f14e0795a80106836307df366

Download Submit
C:\Program Files\My Family Tree\MyFamilyTree.exe.config

Filesize
32KB

MD5
2e1dc70bbee68cf7949b866ab24873d3

SHA1
ba242588da82e71bfc9dffba2f9ea43be4661903

SHA256
04dba45f44600b3eb7d6ede18fa67ba920deb26f7074b2734c21710a7c0ea087

SHA512
814c404c95bc74c3b9d71b51fe6e6a11a32ccc4499b588b097478ad7c2851b5eda2ccd21776ff95aef4512e9a7c631974d14291e41ea6d3524f924ee53929352

Download Submit
C:\Program Files\My Family Tree\en-GB\MyFamilyTreeLocalization.resources.dll

Filesize
21KB

MD5
0238bcb6ad9c4be11b4d311a59efc059

SHA1
5eaf53dabb5b0b6ac6f690afd315a7406b179ef2

SHA256
f936987c6bcdca12a1376fcb8530670874bf1b31a9b4199a9bb7c6eeb86a2ffb

SHA512
3ab66fc82c12730565c91a1dd4a764a0d00250d4ee9e342a89f29385ef1bfabde89794a8b765370a73e741c10d37da4c482f1154891cb7562349057e53a54ad6

Download Submit
C:\Program Files\My Family Tree\en-US\OnThisDay-en-US.xml

Filesize
731KB

MD5
7e08e898364f1c5353e35ec5eae64944

SHA1
152e8b2d203b6632e373949e600ba2cf5e67e576

SHA256
d8e8920a14614979ff525d33ac8cfda3fcd429d36228d4681220323fc8c2fa94

SHA512
7d45cb07c18eb82622c4c1c22b13e45c4b895d5fd5481a65a506909d5c8eec032b3aa9d7bc0a06df7e149bf87e008d9317e368c439dff11343372978f8326810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
27f07bea0f05c6fd2dbd3f037e79e895

SHA1
225029ebc0abcf6d07b27bc076fa39684b526ed5

SHA256
31cbe1da5ba3e06903682bdc205bcdf4956e21112ff8049b1831f6d1bf36b09f

SHA512
d1eda2beabbfe4e907df016f17d9431e30e3459223e44ea85924061754df2e2f87f6f7dd8e7a9414779f0b76fa48aff40c557a7a37a52082b6bee4338bfbfd18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CBE3EAC59A40EA0659812CEE02592A50

Filesize
471B

MD5
d6562a84aa26d94242efc20f99afa1db

SHA1
c42d535759c7e7bbcf2f333c1333665335489dfa

SHA256
8253566a170a981946c29c8e486392bde425a662370200a483b1f1d1c2f93282

SHA512
153b00fd5373427736f049b3bdaa0a0baa3bd932a2d3f703115e5c34d62b154c83134edebc5a1022501202a2a5937b3215f47a7018c7e6432d0cf7a039152fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
03c6ff89b9a8d8ccd3d91193337519e3

SHA1
3679e6fb14128e59fde3f3f3772ad9cd26404138

SHA256
992a25c6d8a21405504eb70ac976e4a78489931b9569bb2c0258fa04de14c46c

SHA512
84aaa890855653817f4cd68cffb5a97315ae79b561037a52052a2999437f6c7bf786cbc733c343c97b8f1fda08a5f31ae89ea69e9410c27dd49c1eeb9715c6db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CBE3EAC59A40EA0659812CEE02592A50

Filesize
404B

MD5
8aed40e04bb54d1ce2ea66fa0f86ca6b

SHA1
f27206594ce23934740a451a738935b88ceaca82

SHA256
f893cd7d6fe40239d16ba0dce849fb9bee28262507960d21a5fe222649bc4836

SHA512
8e25bc6dfa3ee8a820cfc5dba0db2f08610871c42abad40aef40911d47fd6dd22739f269ac51717bf88ae54739b484d7717dc295f3ed553272964a5629900332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d4c60f4ae7f8057067f835f3ed7f8bd

SHA1
1ce5d163241b6ea2297a8265ace78a28429f7aeb

SHA256
054fbef7facb9b3d6e50a6f077cc4a7a0310d18e4057699285a8634c97a82688

SHA512
181d6e3a07aa07904a742e1f2d6825753545095948a6a0c39a4830189281a9d3146aa33941e7f3cac35991c251bc069c797fce5e0ca168001ee19c5ea3c04943

Download Submit
C:\Users\Admin\AppData\Local\Chronoplex_Software\MyFamilyTree.exe_StrongName_tnif3vr5lad1zt3bverw0tbyq12ib2fv\6.0.0.0\user.config

Filesize
487B

MD5
f5cae88f8cd0fca2075b2a821a4326c1

SHA1
31e4717ed8848043e17c68c3f5c944223d6c7e9d

SHA256
f6eed5f8b0f3f349b0ff9c726e0311593e5a50804ee93dac5c38f09b4d7a44b3

SHA512
a977cb54dab41f8736d1ebe832ed79a9852c95ce153a1950f1c0b71f7cc3720f1646ed38bbfa8f22922d38079ba6f7bb312df7aa4ef3d88243ced247cd3d889e

Download Submit
C:\Users\Admin\AppData\Local\Chronoplex_Software\MyFamilyTree.exe_StrongName_tnif3vr5lad1zt3bverw0tbyq12ib2fv\6.0.0.0\user.config

Filesize
6KB

MD5
09586fb5d67365f11157ef8e22311641

SHA1
dcdeadb4053602c22516740bbae52053c974c2ab

SHA256
afba026168fdc7fcb33fda42727b6fabaeb722c0a644dd84076e53f0cfdee955

SHA512
787d4df099fc75e6b6d81a378f924c31f330a2a6075cb908f2004acb23bce992a32d381db4f54eac1f510ec3849c9c90c6070e46c9ef3cf116d90aa4744d113c

Download Submit
C:\Users\Admin\AppData\Local\Chronoplex_Software\MyFamilyTree.exe_StrongName_tnif3vr5lad1zt3bverw0tbyq12ib2fv\6.0.0.0\user.config

Filesize
5KB

MD5
1f2302231a40a9066b2ad4328a7f0d60

SHA1
c37745bc45724c586a32a8f6c3ceab0d921b289a

SHA256
09c2f4ea57bdb0e333e5d03de165b0b170355daf34b2a8fdd6068e3c31cb212f

SHA512
7827e26ce40f20284f6310fae2b78e8d25b7d888bda16f1b77b4db594ba698d668d9356945622c2a4cdf3be71536939528e11fd130ae1829ae348ddad24689e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5820.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI63B9.tmp

Filesize
95KB

MD5
3056644ace6294c801a8010e99888525

SHA1
bbb622450269b1918e9fe11ed32deecf65e7e0e2

SHA256
77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b

SHA512
853e263e4a921b332cf573b8271759cff5cec569b08af78ed8f022d76567868a66455c12fab728a96babebd3859fc1ed2c8507e7233b45b2811542e2d38e1c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6532.tmp

Filesize
51KB

MD5
2c67d539a7670a9e23d5c874f588ebe2

SHA1
d906ddf423ff72c465b26cf7df67cc8fb8956fbe

SHA256
d9b921d68d80f09061a38f9fd26df3c289130e6a76727e96ae3ecd34bb3fca31

SHA512
b18f28a65dfba363bf080f2078de16f3088d3d3850fbb6345b49890f68ca90d21303c547c5fcd19966c73171a7b0fc3d1adb0b043da8a1fd47db374c5de1863b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6251.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7b415336d4b9b559.customDestinations-ms

Filesize
4KB

MD5
fcb56a35dda5446008ed5cb5a90649d1

SHA1
3f373b8383d5c31eb0c11bf943209860d1e7d96b

SHA256
3657de2ec90f512e858cb5ce652e37845bc09c9bf29622b0b4d846c33b500dc1

SHA512
9b23283c29cfc5e7e9167796225ad90b690c2aad425b030f96cdeee148d9e8b663c8135cd57119d7413fd164e0d889910236183511c23a97ec147791da4644a4

Download Submit
C:\Windows\Installer\f76c996.msi

Filesize
789KB

MD5
e5e9c8e2b2ee74c90a03fe75586f0d83

SHA1
654254a2d72f333894632076e2a8f3ae337666a9

SHA256
e19a4fe195fdf4e0bd5fa5b30ca2de73a71b6883c8c6e619aea57cc65a56435f

SHA512
680071e012b81c0adbf15728727a7d4cb38de7b775f39547750550676baa6da8117d5247262364ee1febf2198301538733d3b922aaa74bdb66d83e15f73cb2cd

Download Submit
\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
708KB

MD5
a305f738e252242272b8d5686d39b9f6

SHA1
46b3809257d78b8f8405aa0dee8c9da5f65cc998

SHA256
b780b2f0aa1c21e2fcf833ddf63b2c7b5d34f718454f170723d6f917dc3cf1f7

SHA512
a1ef5427d1eaa86f4698c90859b0ab3961d74fddba20fee6c46e047f04ac5b524e37d4acf610c6f2fdb26b85d4d21b204be47a91f190f2d3598c18382b7e3788

Download Submit
\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
322KB

MD5
3ef1d0e54b95f338a7e091fb06bc9e89

SHA1
2e614c44c0726978a43ebc7c653961a95db06d87

SHA256
34b6eb6db81bc6f93a2fc0ee1615fbb14a41415d20ea4fd3f8dfe7cba7181d57

SHA512
5d2b62bc6f4f065290e55029347fbdb757bceaa16ee2edbbcff55f9d68526ecf02fc8633eeedb0a8be2dc771af6f6cb4b3b2544bea91d5f2849d068ba4278027

Download Submit
\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
224KB

MD5
61dcb8bc415420e8186eb79caa9d971f

SHA1
c1e37f8f073bdd322a09db8641c146faaae7c4f6

SHA256
21ee098caf4fd064da95d8c799810c758eadfe9bb4ae8dbca2b45b99ac4cff34

SHA512
a47fb998a2038028e65b5578379e80a0ee81578611a388fb4a35314ec8c176737e685a055431015c35807f4e427002d6da024a1f71ba163bd2b63533847f43f0

Download Submit
\Program Files\My Family Tree\MyFamilyTree.exe

Filesize
683KB

MD5
d6dcf16eaf738e00fb021f2bd9f98ef8

SHA1
e973da5a2bffebb813776de4ccbe3e2699c9a30b

SHA256
4fb64f6bf9729a968a89d0ef2841e6dcc19f7a999527491641d723308ac13dab

SHA512
bb1f355f54c6febc5896825630bd1c27be714a6137e4b48f60ca7563bd0e309f104262decc13c07de59c5be3ca2705709c824fa3497124c9f4fd4e8eaa0224a1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6532.tmp

Filesize
2KB

MD5
35779f1b9b105f8fe75558eee46d02eb

SHA1
8473f44f2dd262ec73f24cb64006c6d2ce00c7e2

SHA256
792820ece2e281e570407f89fe575178578ba61ab52e35ecf827d05822c72a2e

SHA512
2988ea3fc1e299028af79a6425e6c58953891e6a21bad52540bfef19c1699eff409c0edc3e3133b99994b6078b85f896e021222a64298e51f594318fb2b10e4d

Download Submit
memory/836-162-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-122-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/836-161-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

Filesize
9.9MB

Download
memory/836-164-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-134-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/836-121-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-120-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

Filesize
9.9MB

Download
memory/836-154-0x000000001C4C0000-0x000000001C4DC000-memory.dmp

Filesize
112KB

Download
memory/836-119-0x0000000000F10000-0x0000000001502000-memory.dmp

Filesize
5.9MB

Download
memory/836-156-0x000000001CBF0000-0x000000001CBFE000-memory.dmp

Filesize
56KB

Download
memory/836-157-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-158-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-160-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-159-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-163-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-124-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/836-128-0x000000001AFE0000-0x000000001B040000-memory.dmp

Filesize
384KB

Download
memory/836-167-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-127-0x0000000000B30000-0x0000000000B44000-memory.dmp

Filesize
80KB

Download
memory/836-166-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-165-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-168-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/836-169-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-170-0x0000000021430000-0x0000000021BD6000-memory.dmp

Filesize
7.6MB

Download
memory/836-171-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-172-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-173-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-174-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-175-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-177-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-126-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-125-0x000000001C6B0000-0x000000001C8D6000-memory.dmp

Filesize
2.1MB

Download
memory/836-123-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-200-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/836-201-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/836-202-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

Filesize
9.9MB

Download