c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe
Size

1.4MB
MD5

7ee6219d0f497752aa7f1c129ca50bc1
SHA1

68bec1b6c594b6bdaf74b4062e4b3c477aa6a1ad
SHA256

c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0
SHA512

a91760aeb550d5683ce0222f40addb3507b79ccf10199c6c5a4773d3b3fc0bcf874360202bfcdca0871da5efe94b94b24fecb72dd5ebeca02939928c5a534094
SSDEEP

24576:E9Yu8GgnSf7uw7J8qyKD0OIqKT//pIgl6A5H2TuDWkd3WZZ7SuW42C7Z32o3:zGMo7NSK/Iqwp/6A5Wgz501SuWYZ3V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{A7AB73A3-CB10-4AA5-9D38-6AEFFBDE4C91}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C56.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5852fd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI553F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5852fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5725.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e585301.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3112	Update.exe

Loads dropped DLL 6 IoCs

pid	Process
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe
408	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ms-teams.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teamsupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teamsupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ms-teams.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	ms-teams.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ms-teams.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\msteams\WarnOnOpen = "0"	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\msteams	ms-teams.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect\CurVer\Description = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect\ = "FastConnect Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win64	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x86\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\ = "AddinLoaderLib"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID\ = "TeamsAddin.FastConnect"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect.1\ = "Connect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect\CurVer\ = "TeamsAddin.Connect.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect.1\CLSID\ = "{19A6E644-14E6-4A60-B8D7-DD20610A871D}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect\CurVer\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ = "FastConnect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\msteams\shell\open\command	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\msteams	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib\ = "{C0529B10-073A-4754-9BB0-72325D80D122}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\msteams\shell	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.FastConnect\CurVer\FriendlyName = "Microsoft Teams Meeting Add-in for Microsoft Office"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect\ = "Connect Class"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\msteams\shell\open\command\ = "\"ms-teams.exe\" \"%1\""	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x64\\Microsoft.Teams.AddinLoader.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\msteams_8wekyb3d8bbwe\Internet Settings\Cache	ms-teams.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\ProgID\ = "TeamsAddin.FastConnect.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\TypeLib\{C0529B10-073A-4754-9BB0-72325D80D122}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\TeamsMeetingAdd-in\\1.24.28402\\x86\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\WOW6432Node\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\TeamsAddin.Connect.1\CLSID\ = "{CB965DF1-B8EA-49C7-BDAD-5457FDC1BF92}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\msteams\shell\open	ms-teams.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\Version\ = "1.0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe
4568	msiexec.exe
4568	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	Update.exe
Token: SeShutdownPrivilege	472	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	472	ms-teamsupdate.exe
Token: SeSecurityPrivilege	4568	msiexec.exe
Token: SeCreateTokenPrivilege	472	ms-teamsupdate.exe
Token: SeAssignPrimaryTokenPrivilege	472	ms-teamsupdate.exe
Token: SeLockMemoryPrivilege	472	ms-teamsupdate.exe
Token: SeIncreaseQuotaPrivilege	472	ms-teamsupdate.exe
Token: SeMachineAccountPrivilege	472	ms-teamsupdate.exe
Token: SeTcbPrivilege	472	ms-teamsupdate.exe
Token: SeSecurityPrivilege	472	ms-teamsupdate.exe
Token: SeTakeOwnershipPrivilege	472	ms-teamsupdate.exe
Token: SeLoadDriverPrivilege	472	ms-teamsupdate.exe
Token: SeSystemProfilePrivilege	472	ms-teamsupdate.exe
Token: SeSystemtimePrivilege	472	ms-teamsupdate.exe
Token: SeProfSingleProcessPrivilege	472	ms-teamsupdate.exe
Token: SeIncBasePriorityPrivilege	472	ms-teamsupdate.exe
Token: SeCreatePagefilePrivilege	472	ms-teamsupdate.exe
Token: SeCreatePermanentPrivilege	472	ms-teamsupdate.exe
Token: SeBackupPrivilege	472	ms-teamsupdate.exe
Token: SeRestorePrivilege	472	ms-teamsupdate.exe
Token: SeShutdownPrivilege	472	ms-teamsupdate.exe
Token: SeDebugPrivilege	472	ms-teamsupdate.exe
Token: SeAuditPrivilege	472	ms-teamsupdate.exe
Token: SeSystemEnvironmentPrivilege	472	ms-teamsupdate.exe
Token: SeChangeNotifyPrivilege	472	ms-teamsupdate.exe
Token: SeRemoteShutdownPrivilege	472	ms-teamsupdate.exe
Token: SeUndockPrivilege	472	ms-teamsupdate.exe
Token: SeSyncAgentPrivilege	472	ms-teamsupdate.exe
Token: SeEnableDelegationPrivilege	472	ms-teamsupdate.exe
Token: SeManageVolumePrivilege	472	ms-teamsupdate.exe
Token: SeImpersonatePrivilege	472	ms-teamsupdate.exe
Token: SeCreateGlobalPrivilege	472	ms-teamsupdate.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe
Token: SeTakeOwnershipPrivilege	4568	msiexec.exe
Token: SeRestorePrivilege	4568	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3112	Update.exe
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1716	ms-teams.exe
1716	ms-teams.exe
1716	ms-teams.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3112	456	c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe	83
PID 456 wrote to memory of 3112	456	c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe	83
PID 456 wrote to memory of 3112	456	c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe	83
PID 4568 wrote to memory of 408	4568	msiexec.exe	112
PID 4568 wrote to memory of 408	4568	msiexec.exe	112
PID 4568 wrote to memory of 408	4568	msiexec.exe	112

C:\Users\Admin\AppData\Local\Temp\c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe
"C:\Users\Admin\AppData\Local\Temp\c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --exeName=c8db62bed2305b35860ba601c926f664da5c49cb58db6e364f0ed2805af511f0.exe --bootstrapperMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3112
- - C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teams.exe
    "C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teams.exe" msteams:?instVersion=3.4.0.0&instExecTime=1732593249912&launchSrc=t2installer
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1716
  - - C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe
      "C:\Program Files\WindowsApps\MSTeams_24295.605.3225.8804_x64__8wekyb3d8bbwe\ms-teamsupdate.exe" -CheckUpdate -AppSessionGUID f8ad92a2-312b-431e-9aa1-31bf5823fe4d
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:472

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29B761CCEF0D561024259640633D62AE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585300.rbs

Filesize
350KB

MD5
6e0eb177fb3bcd627cc2fd2dac11f893

SHA1
8b2bf55ab29a74358a3211ff1b1a57f7aad1bba4

SHA256
df90fe811359d8d1c824c4170133430077f565eb9d717ea05ea5aba050d7d906

SHA512
a2c547a17d8b7b127387382cb4038797e56488677e36df8e5e20e9b33df49afd1699c18a357aca69c7170adcaaa1a61668bf729c1ad85f8d9dd9de93dcb19a0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
5c804e6fb47a974389bcb2b6dce0cd73

SHA1
2b6e0be20fa5705cde49d9b95d8fd28ae41087ea

SHA256
a57d0e2c157698ad8ef542ab205995561b7d1aab8e081ad9e588301ae7d228e9

SHA512
390aff6d0a178c8545b0f7b43e8088215c5e4cc834a8e3407f40019232749e5a6574709d6d817c9cede22e17ca7bfb07459f235a436b90f1368a1fa11f497bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
5f041cafee44e7880603e876b5df231c

SHA1
8ab2eee21e1a90c33e9ebc023ecf8d5d95a7a776

SHA256
a2a73920044d8bd8d6579c45428f7f332b7955ca6c9e0718748836d6553f53a2

SHA512
3f01012ce21a4e005db646b8bfe229f0330b93585fe3ff49038ebaca0ad345efd24bfdfd61dccd934a584e7409054d8e03ad80d4c6384a1b5ecc0ada6a24c496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\AddinInstaller.dll

Filesize
34KB

MD5
fd109be1f7a56bebf0ef87189b2135f1

SHA1
d519908c1ab3bb7e079ed30f7bbfac9aeb88cdaf

SHA256
d414cf6887841b35f7380d4de9e2982eaefd4736f83dde81f3e3480aee00c39f

SHA512
72166b7e1b8f953b2409c1520ef4a23d38584ef0fd1c87fff31c4c2e52d6fcf049d1a3a8443cdc9f2dce8872553b8369e7dd21263b8942567cdd5a9736a3cdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\x64\Microsoft.IdentityModel.JsonWebTokens.dll

Filesize
66KB

MD5
622623a04c985eeaa82d2a1f15d508cf

SHA1
f6e6bcc42d1e1bf0dc7d635beb4a1f063a4f2b66

SHA256
041946c132c0561ce8d0a1b0f74eb979d69660deda241bef4a0570f1cd1d9289

SHA512
46027876fd165c8399e3896ab6bcba034bb69cc5e67c68fadb40101db05eb81882b12f86bfb75845155bb94d08c9c7d1c97461f1677b0cbe6b71e3a8358a6f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TeamsMeetingAdd-in\1.24.28402\x64\System.IdentityModel.Tokens.Jwt.dll

Filesize
81KB

MD5
ef26e784474ef5ee4c86225829784bd6

SHA1
db058e83d7b6cde77821d9da640f7b169fd80e07

SHA256
15aa3a16426b1281f0a4cecafc2a054bb29b7f3d09b3048f048ebf67c4f53e1a

SHA512
7621855326125262ffa2de6577d79fbc20f60f0aad3aa6fd42006ab806438cf262e18cabb802eacb1337b7de424fa32c543b8315436d05e519a29458405ef706

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs\tma_addin_msi.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json

Filesize
994B

MD5
6a26ce521c14209053de44c411eee0fa

SHA1
4109423c3f0c78a26aa6a5581b978a4fb96a3415

SHA256
8b4478e1189e7ffb8b516dcf0e577eb38a86ff4e770e71ee423c7c669aa5c479

SHA512
7bd3adbbf2f24403b888bf79fdb4e3d75a91d85de01a8217c7efd03fb9feb4934f1ae7bd311add57f54c0de2185bca062b2dbfa28fbd5a609bd99bb6cfbe4ab5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\app_settings.json~RFe5850cb.TMP

Filesize
961B

MD5
aa01b6d5996e8aa6aa0ead4540c5f71d

SHA1
298225befe3ebb8d46ece0f86473a39042afc54a

SHA256
375519e63b569c23f4cd94b9acc77cdac7f8c417e56b77fe8dc7543f4c8950bb

SHA512
d344c5ba1bf82b7bac91cfb052e58698493f907b52578d829c66cad2477607470d6959d1c3187658ac64fead0a92fa4dbb24ef2ad5bbda1680eb31342f597757

Download Submit
C:\Users\Admin\AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\ecs_settings.dat64

Filesize
2.0MB

MD5
b745d755612237c364adaa4c0a0abe49

SHA1
9c6d86fd7baf9442fed171f1e5cf1cbec95e292e

SHA256
f4166ebf53ccb4ce05863db3accfb376736104a3ee4d503fa1314ecd7c41c5c2

SHA512
3a70838bd00365773e66523de4eb03c34142b1da490971aeaf128b38320a0dab5489cfd50b4d5d106ef2006fcb58858da955bf3d6f2e3e9a25396765a8c2448b

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
7KB

MD5
f80141a6f48d6ece492f0321f95dedbb

SHA1
9f2f7bb873861683903e45e680a2960c5a6fb565

SHA256
d0e35b4c123fd775db6f4dfb40472720d07e651933d7f49818331ef2ccb98d2f

SHA512
f277841e42c12d2571516b280a1a0e847a7c6ac143f6409b4770e235d3e20e412902661501d000ce41cac60dca3a742040b7d785844d968a755ef607364f7583

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
143B

MD5
74948ed40ba98387aeb324ea86e645d9

SHA1
a74446a8e934b2c8b6a3fbc437e39764afd382a2

SHA256
db4740fe6b3dc85900d2fc11e52fdf0e7afe6eacec741ad6415666ba8d342643

SHA512
2438b4cdfcebe97e5eeb11d7b229d34f30571a71a18dfa7d30c7421e157cf31a346728dddca16af75529805972357746d5c4b70e36da105781407ffaa18bb8ee

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
360B

MD5
87fb7168a3ae307e2641434c624e39be

SHA1
b2003b8e69035a6b4bb78b6a5772b405f64e8236

SHA256
d97e3647131001455c639de011cb45454f7b934481220b8454b9ba970cab1695

SHA512
fb93906c18ee20b2ead5be6885e4177f35b933ce338e97e640858957e9a87ace843499298ad88231f3b65a39e4f659b28b3c842110ce23a7cfdf0d50830c14b0

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json

Filesize
360B

MD5
8092a95b08649b43804080bb4a132188

SHA1
95908c3e13248f911daef4e5a50524472355ef7b

SHA256
5d626976c8801a3893c97df6037bc7a74760671ccb70e2c8e5405df90df7269b

SHA512
0ae968d6f7d9f19c73029ae351372ad02e83b190199c3a47dd6f054a31210d115721c8115c5957ee44e5aaf64b6029d37e35ed8f62aeeb248bd25f98b757c60d

Download Submit
C:\Users\Admin\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json~RFe584f92.TMP

Filesize
124B

MD5
98d8595a47c9f70033706bb441d55a86

SHA1
162943310d516c7f44341af615241bbcd08f5c87

SHA256
d651df9b25e7b36f5492d15050c5281f0519042cbc4b40742332d10fe220d90c

SHA512
c7c81b6d80d0a868eaff3193e53f24c0eeeb25d7cf8d4df1b0d0aec14a4ef5f402e290ff5c9640cc3687462f8a9ccd4957715e823e9a50f38d635b7a7dc44e1b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
2.5MB

MD5
b690b2420b21107e633b4e325768c1d0

SHA1
8f3faaab9eb83af7eb1c9963230e5980642c1dfb

SHA256
1f2a34f84b7f4171bcd0d40c80acee8aef0d9dc3529deb3e372bae180f571c14

SHA512
64b900fb5cefb8dec747c768061ea95d4ae2202127ae41cad46a59ab5e5cdfaaa78743d6383241a124e3ee4e2015566eb8f05285e16c12669745e23d293c90f6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\downloading.gif

Filesize
8KB

MD5
3488a1749b859e969c01ba981036fab6

SHA1
a65b72461fa14c89fce0d025e43454830a1f7972

SHA256
c3fa333fdbce95d504aee31912993dc17ab31324428f557ac774f7e98b049b99

SHA512
7363003422bdaabb7943439ee1e846867f0f3d0baed3456424544a81989bd2d142a411cf982d90e4158314d410cd1a1a4ee33d8707219b4274cd2841705bcecc

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\endpoint.json

Filesize
610B

MD5
34b2a3afe7ae8ad113f54e64d2f62111

SHA1
c0afa4727bab161b777363fd49225d7ef084c16e

SHA256
1578d085af8165ef971cbb88d327e07c2b82c34eff379fcb2ab030a188b2981d

SHA512
d6a8a70603157f0cf4b4d2a2992b8082d30e35aab7e47f973e8bde5841dc5528f7a62a8d3889093343f0a806a1161965126140345ffcb4cb0dbd36e56f155720

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG5687.tmp

Filesize
150B

MD5
2be48f533744efa173a2ede37ea8031e

SHA1
41fad4dd24cc97a3d3056b026ca8056c9e4b9e3f

SHA256
02375fa63b79648ed6bb419c08f78ba9032ee22ba7170250e24427f47fddfa4e

SHA512
f49495311687f2a1af4ff60f8ff304d3ccddcd66effc36dfcfd71de91ee86a405c14c3f9bd81240cca76d4de1f4abd3259a7af6d53b2c3737c8963123d6f6815

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db

Filesize
4KB

MD5
0c10104f99ef8f2a0476409bf24f918d

SHA1
49fb0dd5654ff54c2c772185a861a0e020b0940c

SHA256
a5593a4889231be7bc937df4ab64854aaaed43ef4da8e4c3694b8865bce979cc

SHA512
c58cfebdade8fd18b8c3e997aa5b199a41a576fe71cd435bf4c76a740710ab54b7ba66c9a720b3fac94cb37e2c534a32d7ac6def527ec5dbec40b81b4822efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db-wal

Filesize
48KB

MD5
dcef7618cbace5451f69227e3b71809c

SHA1
45408718d2e95c1c183ef1602bd7b9d1287385c9

SHA256
474e2d13130be2ce054509628d0c7ee47b31c519eb6753c32458c28724ae25cb

SHA512
95c3dbb8873d639d0d7363736168a876e7dfb2edae6f79e472e760d8443ba015a2d81c9e4dd8d8c5002e4de534466bedb4415e028d02377b39049f0d054933c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88.db.ses

Filesize
53B

MD5
2cb9b9cf7be892f7acc1592180ba52d1

SHA1
b381031ba478ab0825c658459cf2ed4f2b96c278

SHA256
56619b2fd59e25c0aee5f8d0b40e0d0d8e5b4481442a63cfc5fe48065928ac22

SHA512
6157242216d5ab86b307cb99352168cb1f9a839bae89bc6c3b8d2aa3f8f6210e6edd4091acf086e0a9eebe8003eeff1cab1f0070e95fa80285d8ec23675a0d23

Download Submit
C:\Windows\Installer\MSI553F.tmp

Filesize
298KB

MD5
684f2d21637cb5835172edad55b6a8d9

SHA1
5eac3b8d0733aa11543248b769d7c30d2c53fcdb

SHA256
da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0

SHA512
7b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c

Download Submit
C:\Windows\Installer\MSI6C26.tmp

Filesize
113KB

MD5
8fa4088a730b967d85df562fd5ef7d5e

SHA1
629db9229f4a4a691e14f38f4dbffba157fa1ce9

SHA256
cdb195012fa5d3cfb80f8ea9fb23348c8749720d7e3a20cb7774cfd717f2df36

SHA512
1037170aed40aa33a4f983e168ae91247c23768fa502877d0b872a462d04fd5687cc50056add6419e3637306ae15beb1cfd04a51f126109faece09087ec16fb2

Download Submit
C:\Windows\Installer\e5852fd.msi

Filesize
13.2MB

MD5
671d61a6af06bec8d9bec8e495510e06

SHA1
59457005d87757e8e06e6e63c9674655b8b67512

SHA256
34be9ffe274da2accdc4ffe56017c36b123811e945117758c45852bf14cf0d8c

SHA512
8b6c9a99da310fb0a17e46085646f82ce3b3676813fba52e5101b32769170b9c6866b1516ea6cc38933ff86afb0c8b68b6c9b85f23da0551ee26a2d32e5d5f0f

Download Submit
memory/408-305-0x0000000003570000-0x000000000358A000-memory.dmp

Filesize
104KB

Download
memory/408-309-0x00000000036E0000-0x00000000036EA000-memory.dmp

Filesize
40KB

Download
memory/408-322-0x0000000005740000-0x0000000005752000-memory.dmp

Filesize
72KB

Download
memory/408-323-0x00000000057B0000-0x00000000057EC000-memory.dmp

Filesize
240KB

Download
memory/3112-23-0x000000000BF60000-0x000000000BF98000-memory.dmp

Filesize
224KB

Download
memory/3112-9-0x0000000002B20000-0x0000000002B2A000-memory.dmp

Filesize
40KB

Download
memory/3112-19-0x0000000007020000-0x0000000007046000-memory.dmp

Filesize
152KB

Download
memory/3112-16-0x00000000060B0000-0x00000000065DC000-memory.dmp

Filesize
5.2MB

Download
memory/3112-24-0x000000000BF20000-0x000000000BF2E000-memory.dmp

Filesize
56KB

Download
memory/3112-25-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-13-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/3112-11-0x0000000005140000-0x000000000515E000-memory.dmp

Filesize
120KB

Download
memory/3112-10-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-22-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-37-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-33-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-8-0x00000000004B0000-0x000000000072A000-memory.dmp

Filesize
2.5MB

Download
memory/3112-30-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-29-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-28-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download
memory/3112-27-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/3112-7-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/3112-26-0x0000000073CE0000-0x0000000074490000-memory.dmp

Filesize
7.7MB

Download