eb033fdba9c0d23de6dd671a6bbaad132d7a5d840937675100a49f1d327ee055

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe
Size

665KB
MD5

6ffc39a9444675930e372e52ae5dc710
SHA1

18406e2f2be926c7a82388a904a5b1c7dc97322f
SHA256

eb033fdba9c0d23de6dd671a6bbaad132d7a5d840937675100a49f1d327ee055
SHA512

a1fb36e133c5a4d7e08615fdb94c39e09812f7b6bc2e5b12630249929fa577baea0bfce115c543bf2c8583d3c138cbfb21d54605c2879c16d34c37e6761d3367
SSDEEP

12288:3/nUHbC/V7CUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8L:3s7CAatr0zAiX90z/F0jsFB3SQkY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 34 IoCs

Processes:

alg.exemscorsvw.exemscorsvw.exeelevation_service.exeGROOVE.EXEmaintenanceservice.exeOSE.EXEOSPPSVC.EXEmscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
480
2636	alg.exe
2472	mscorsvw.exe
1444	mscorsvw.exe
2748	elevation_service.exe
988	GROOVE.EXE
1448	maintenanceservice.exe
452	OSE.EXE
2848	OSPPSVC.EXE
2808	mscorsvw.exe
2100	mscorsvw.exe
344	mscorsvw.exe
2972	mscorsvw.exe
2392	mscorsvw.exe
1124	mscorsvw.exe
2212	mscorsvw.exe
2940	mscorsvw.exe
2860	mscorsvw.exe
1944	mscorsvw.exe
3016	mscorsvw.exe
1924	mscorsvw.exe
2428	mscorsvw.exe
1456	mscorsvw.exe
1508	mscorsvw.exe
2388	mscorsvw.exe
1744	mscorsvw.exe
1244	mscorsvw.exe
2224	mscorsvw.exe
1724	mscorsvw.exe
948	mscorsvw.exe
1732	mscorsvw.exe
2880	mscorsvw.exe
280	mscorsvw.exe
1916	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

Processes:

alg.exeGROOVE.EXE6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfae783d2a37835d.bin	alg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe

Drops file in Windows directory 16 IoCs

Processes:

alg.exemscorsvw.exemscorsvw.exe6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2556 2972 WerFault.exe 6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe

pid	pid_target	process	target process
2556	2972	WerFault.exe	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

GROOVE.EXEOSPPSVC.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform	OSPPSVC.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000	OSPPSVC.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exemscorsvw.exemscorsvw.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2972	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1444	mscorsvw.exe
Token: SeShutdownPrivilege	2472	mscorsvw.exe
Token: SeShutdownPrivilege	1444	mscorsvw.exe
Token: SeShutdownPrivilege	2472	mscorsvw.exe
Token: SeDebugPrivilege	2636	alg.exe
Token: SeShutdownPrivilege	1444	mscorsvw.exe
Token: SeShutdownPrivilege	1444	mscorsvw.exe
Token: SeShutdownPrivilege	2472	mscorsvw.exe
Token: SeShutdownPrivilege	2472	mscorsvw.exe
Token: SeShutdownPrivilege	1444	mscorsvw.exe
Token: SeShutdownPrivilege	2472	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exemscorsvw.exemscorsvw.exe

description	pid	process	target process
PID 2972 wrote to memory of 2556	2972	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe	WerFault.exe
PID 2972 wrote to memory of 2556	2972	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe	WerFault.exe
PID 2972 wrote to memory of 2556	2972	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe	WerFault.exe
PID 2972 wrote to memory of 2556	2972	6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe	WerFault.exe
PID 1444 wrote to memory of 2808	1444	mscorsvw.exe	mscorsvw.exe
PID 1444 wrote to memory of 2808	1444	mscorsvw.exe	mscorsvw.exe
PID 1444 wrote to memory of 2808	1444	mscorsvw.exe	mscorsvw.exe
PID 1444 wrote to memory of 2100	1444	mscorsvw.exe	mscorsvw.exe
PID 1444 wrote to memory of 2100	1444	mscorsvw.exe	mscorsvw.exe
PID 1444 wrote to memory of 2100	1444	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 344	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 344	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 344	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 344	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2972	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2972	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2972	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2972	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2392	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2392	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2392	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2392	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1124	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1124	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1124	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1124	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2212	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2212	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2212	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2212	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2940	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2940	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2940	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2940	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2860	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2860	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2860	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2860	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1944	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1944	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1944	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1944	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 3016	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 3016	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 3016	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 3016	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1924	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1924	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1924	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1924	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2428	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2428	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2428	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2428	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1456	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1456	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1456	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1456	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1508	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1508	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1508	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 1508	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2388	2472	mscorsvw.exe	mscorsvw.exe
PID 2472 wrote to memory of 2388	2472	mscorsvw.exe	mscorsvw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ffc39a9444675930e372e52ae5dc710_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 344
2⤵
- Program crash
PID:2556

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 244 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1e8 -Pipe 1d8 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 254 -Pipe 1d4 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1f0 -Pipe 250 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 254 -Pipe 24c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1e8 -Pipe 248 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1f0 -Pipe 260 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 1e8 -Pipe 264 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 1f0 -Pipe 26c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 288 -NGENProcess 1e8 -Pipe 270 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 28c -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 1f0 -Pipe 278 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 1e8 -Pipe 27c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 1f0 -Pipe 284 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 2a0 -NGENProcess 1e8 -Pipe 288 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 230 -NGENProcess 238 -Pipe 23c -Comment "NGen Worker Process"
2⤵
- Executes dropped EXE
PID:2100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2748

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:988

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
5ff64575e530c798ec5c336db4499f41

SHA1
30b1105a066b846f0dde2cf1a0a9ab1475d03bc9

SHA256
8ef49403ca91792ef04a5b1bfecb55051519674ed207bd630b4ff5dcbb1040fd

SHA512
ed862906dc41cd8a1869ac16b01ac43c9310963b16f378cfaf401a9d7c1e62698a3e50d806bf2d6c09345a10a6cd2e5ca9c6d8b6728d8a858dd7d95a7f7cfc40

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
42f6b9ef44c8592b2353e953f2423454

SHA1
70bf28f82c4adabc1f28563969adbc5246477cb4

SHA256
15c325a4b1f64206aa811da458eca95945ef855d8eebfec7eb54395875983158

SHA512
871b24a3fa4b1f1a649a6b9998e3179e1ba15c60371a6b85e1ffcc4afc6bed7277fb131873b4233fb9ccfe0b99ba94aef69f5d37676f81cb2add25bbc8fc2060

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
99022607353bd5edd52a304b6b4d9b8d

SHA1
953aa2b951f9ccbcf3ecccb3d2f1749e4d9bcf6f

SHA256
96205d869b0d7d1352603e245b0e14bfc18a1eb22d6fde4ddf9fdcc8ec6cf6c2

SHA512
f687f42bcd71298f0573635dcea605381ed25f484c287d9ac29aea63b0ce27644d2c4e2b0c3cf6023531f2f2e7e59cbe8a91cd4c82f1ba9d7fec43fc0fa01a40

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
5.2MB

MD5
11a0c494054400a5e7c8fdc04bb2daaa

SHA1
09cbb67d2fee5937862162a45bf1e8aba6f22578

SHA256
b60b0e0be4f0a806b60b8511ce6df55bd56dc6454f30e48b7f8bf8adc6e167ec

SHA512
32cff7da4eb9216502d32c7d20359dd0478ac4d11b4509214ed9d0ec157d9722018c17bb570c92e44cc61436de253fbd19316ec65e783737cda076bb777b99a8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a184d44308da3766deb48aa1a39dfd27

SHA1
83ecf1901185a061ee4e00462f8fb2e673babfeb

SHA256
563ef5f2870f62cfaad03b457c97773e6f73a96c69095cf52bdb4b2bb03e30c5

SHA512
e5fcf6a0e75df0c8eba1e77f1271e326a99c98aaf6ebfaa1eaa442880d1b7ae22618665e47f0cd0d225b8b13ad16867bffa3bd1978323a596a0c55d1c3a21f92

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
08f86848f61a550dc86a69592b87c003

SHA1
b9d8718028cf5f0a284bbcb11467b47d66c4c71d

SHA256
7be448b3faccd21cebaa73b8101c5f0a6ecc05b5cde6951a0d6b3806ab5263a9

SHA512
827f5204ba54104222506c9cfbbdc2c057b09c4274c2406ac152fcd90a8c99753b6b65756be0b09dedfdbd709b53eebeaf1d56238588a684acb39a3fa0b85a8f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
bfeab85fc5daf9b176600807f30760ed

SHA1
6c471120ab2f6eaa3382d0a53ad11c1a7ca7062f

SHA256
5d6c38a230310f6026fb61e01da8f26c680eaf488ba22e9c48142c2f2489457f

SHA512
c5a716d0c2ff2e9e7429da8f3759d02387bfcc3c70505ec779430629f7d32e6217e16299bc1dde51efcbd34796df94d31087440065f0afae7f5a815004480ab1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
6a0243db274404288f9db02e4ea56391

SHA1
3330ef596ef09044e1a6c7c338b61660b3e98ad8

SHA256
eb51f7e927ad688373d59872a9cf0eaae3ee1930fd81425d6884d930a6855c32

SHA512
84eeb01d866479c5fd73f22c67da32e9443c743a5d98c566133051000c75ed28a2c464c7150b1f41006450053dbb2dd98f7e96a6e657f2c64b541297bfa0c526

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
8474ac4bcce25940166c14dba5fe6de4

SHA1
12ddd5a6a8c0c3b82625cd390c238fe11f158c25

SHA256
ba0fc14ae545010ea8d7c960e0f5311cbc7adfafd6c44030ef82e09acf6fa633

SHA512
f3647d6cd13317fcede1fea6653ab3bf5496ebae1579a97a93b284f75b8d058e194f875fa3687be49fceac776a1bbb1d1265d3c859ca5b8cd8f353cf49ae1a36

Download Submit
memory/280-565-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/280-571-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/344-315-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/344-311-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/452-94-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/452-99-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/452-93-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/452-360-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/948-535-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/948-523-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/988-71-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/988-76-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/988-336-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/988-78-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1124-349-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1124-353-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-494-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1244-507-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1444-43-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1444-285-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1444-52-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1444-44-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/1448-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1448-102-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1448-87-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1448-103-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1448-81-0x0000000000FF0000-0x0000000001050000-memory.dmp

Filesize
384KB

Download
memory/1456-447-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1456-451-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-463-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1508-457-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1724-517-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1724-524-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-543-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1732-547-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-488-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-476-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1744-484-0x0000000003C70000-0x0000000003D2A000-memory.dmp

Filesize
744KB

Download
memory/1916-581-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1924-427-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1924-416-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-403-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1944-399-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2100-294-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2100-300-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2212-366-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-362-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2224-511-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2388-475-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2388-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-337-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2392-344-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-435-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2428-439-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2472-30-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2472-31-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2472-36-0x0000000000370000-0x00000000003D7000-memory.dmp

Filesize
412KB

Download
memory/2472-271-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2636-24-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2636-20-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2636-13-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2636-14-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2748-323-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2748-67-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2748-68-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2748-60-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/2808-297-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2808-283-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2848-374-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2848-114-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2860-391-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2860-387-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-559-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2880-553-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-379-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-375-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2972-23-0x0000000030000000-0x00000000300AA000-memory.dmp

Filesize
680KB

Download
memory/2972-328-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2972-0-0x0000000030000000-0x00000000300AA000-memory.dmp

Filesize
680KB

Download
memory/2972-324-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2972-8-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2972-1-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/3016-415-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3016-404-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download