d1094678869c29df3963bf90c661e4c82b228a2017252f9dec64167232d4967a

Analysis

max time kernel
40s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Size

4.1MB
MD5

50480cb8170b0d97e73ba781aec7cfe9
SHA1

ec38f88ab9a828640c1a8cc982896014287de814
SHA256

d1094678869c29df3963bf90c661e4c82b228a2017252f9dec64167232d4967a
SHA512

075571b1fb6dd2d6fff774d8aaa628afccad9b4c803e05a563eb57af881ef8db25385c894b41228e82e942222f117224601accb2893437a05cab6820bff11b22
SSDEEP

49152:Q5Viqwo4KxghcyJLBaSbvviqMjfBV+TFZ1bBzP7n1Y8/17MVfw1QSXm+RFvTCr9s:QBfr+TFFqRlw6a+dU7dG1yfpVBlH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
464	Process not Found
2768	alg.exe
2604	aspnet_state.exe
568	mscorsvw.exe
2940	mscorsvw.exe
1528	mscorsvw.exe
2928	mscorsvw.exe
524	dllhost.exe
2276	ehRecvr.exe
2336	ehsched.exe
2468	mscorsvw.exe
1648	mscorsvw.exe
2208	mscorsvw.exe
2808	mscorsvw.exe
2556	mscorsvw.exe
2868	mscorsvw.exe
2464	mscorsvw.exe
1072	elevation_service.exe
2036	IEEtwCollector.exe
2424	mscorsvw.exe
1100	GROOVE.EXE

Loads dropped DLL 6 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eb146ba83db14c9a.bin	alg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D65B6E56-FC76-4FE4-91A4-76D9714ED143}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D65B6E56-FC76-4FE4-91A4-76D9714ED143}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
Token: SeShutdownPrivilege	2928	mscorsvw.exe
Token: SeShutdownPrivilege	1528	mscorsvw.exe
Token: SeShutdownPrivilege	1528	mscorsvw.exe
Token: SeShutdownPrivilege	1528	mscorsvw.exe
Token: SeShutdownPrivilege	1528	mscorsvw.exe
Token: SeShutdownPrivilege	2928	mscorsvw.exe
Token: SeShutdownPrivilege	2928	mscorsvw.exe
Token: SeShutdownPrivilege	2928	mscorsvw.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2740	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	28
PID 2212 wrote to memory of 2740	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	28
PID 2212 wrote to memory of 2740	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	28
PID 2212 wrote to memory of 2724	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	30
PID 2212 wrote to memory of 2724	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	30
PID 2212 wrote to memory of 2724	2212	2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe	30
PID 1528 wrote to memory of 2468	1528	mscorsvw.exe	41
PID 1528 wrote to memory of 2468	1528	mscorsvw.exe	41
PID 1528 wrote to memory of 2468	1528	mscorsvw.exe	41
PID 1528 wrote to memory of 2468	1528	mscorsvw.exe	41
PID 1528 wrote to memory of 1648	1528	mscorsvw.exe	42
PID 1528 wrote to memory of 1648	1528	mscorsvw.exe	42
PID 1528 wrote to memory of 1648	1528	mscorsvw.exe	42
PID 1528 wrote to memory of 1648	1528	mscorsvw.exe	42
PID 1528 wrote to memory of 2208	1528	mscorsvw.exe	43
PID 1528 wrote to memory of 2208	1528	mscorsvw.exe	43
PID 1528 wrote to memory of 2208	1528	mscorsvw.exe	43
PID 1528 wrote to memory of 2208	1528	mscorsvw.exe	43
PID 1528 wrote to memory of 2808	1528	mscorsvw.exe	44
PID 1528 wrote to memory of 2808	1528	mscorsvw.exe	44
PID 1528 wrote to memory of 2808	1528	mscorsvw.exe	44
PID 1528 wrote to memory of 2808	1528	mscorsvw.exe	44
PID 1528 wrote to memory of 2556	1528	mscorsvw.exe	45
PID 1528 wrote to memory of 2556	1528	mscorsvw.exe	45
PID 1528 wrote to memory of 2556	1528	mscorsvw.exe	45
PID 1528 wrote to memory of 2556	1528	mscorsvw.exe	45
PID 1528 wrote to memory of 2868	1528	mscorsvw.exe	46
PID 1528 wrote to memory of 2868	1528	mscorsvw.exe	46
PID 1528 wrote to memory of 2868	1528	mscorsvw.exe	46
PID 1528 wrote to memory of 2868	1528	mscorsvw.exe	46
PID 1528 wrote to memory of 2464	1528	mscorsvw.exe	47
PID 1528 wrote to memory of 2464	1528	mscorsvw.exe	47
PID 1528 wrote to memory of 2464	1528	mscorsvw.exe	47
PID 1528 wrote to memory of 2464	1528	mscorsvw.exe	47
PID 1528 wrote to memory of 2424	1528	mscorsvw.exe	50
PID 1528 wrote to memory of 2424	1528	mscorsvw.exe	50
PID 1528 wrote to memory of 2424	1528	mscorsvw.exe	50
PID 1528 wrote to memory of 2424	1528	mscorsvw.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\2024-01-25_50480cb8170b0d97e73ba781aec7cfe9_ryuk.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.73 --initial-client-data=0x138,0x168,0x16c,0x164,0x170,0x140315460,0x140315470,0x140315480
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2740
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2212" "468"
  2⤵
  PID:2724

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:568

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 250 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 264 -NGENProcess 244 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 25c -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 258 -NGENProcess 26c -Pipe 1d8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 270 -NGENProcess 268 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 278 -NGENProcess 270 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 25c -NGENProcess 1ac -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 24c -NGENProcess 25c -Pipe 1ac -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 284 -NGENProcess 260 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:524

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2276

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:3040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2352

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2996

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2624

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2068

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2792

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2572
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3427588347-1492276948-3422228430-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:2684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
e5c41adddb7cce0550f2b98f61451415

SHA1
a5ba4627fe664a0c872999c91dc44b935b71475c

SHA256
24670d0c1a0445407066bb554918d568fa03a912a4048f6512526e752d622beb

SHA512
29aa47049e6fcc8fb170477313bc0f81d588f2256f2687a8d801b2b361b3a7cd40fb3d0123651be4004290ff0d1fa2108605dfb53dc89caea81639d8a7acb153

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
2.8MB

MD5
2bdd572e5d1d90e5ff3571049764e2e6

SHA1
30b4b14bb240abab5ca5db9a91bac33cf6bc8332

SHA256
0d3d927b0bb411cbf6ef3011d3b23e900cd25788fafb52e504408bb3cd176b45

SHA512
c32b4e6e9d51ace180ab46cdcddd86f0345b683cd68b83aa5bb64399d50b3f48c122f46cbd71738ae4510b240f27dd60c08575a1d155c683c3f92bf3954b236a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
448KB

MD5
14cc9499f7008b751bad6bca0b4077e5

SHA1
dcf664c079ba45c57bdbb48f489c9093f9caaa24

SHA256
a61544249b17532ca1773cb092bd1577369f89d2103f747a137385aba283fdc5

SHA512
4f4305cbc76d2991a3d76b721f6b1ef170559540d849c8b66661392bdd2c4a0470c93d422a3d12a6f887b8c0dd269a3e59bc4d7e9afdc368360aad62f3295b08

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.6MB

MD5
7e8357e6422dc3c13b43d8c7dfbd8176

SHA1
80746fc5d18966e0351fa0115a4b4ac3446cef23

SHA256
5675a9fb71d85cbcdb83e88d3177f82b55282a731ce8f588bcfc242653d0e95d

SHA512
9dfdde6f0f5d36622092191d15de6ea8aa0d1b15a19fef1d5a4be17c0a492a66b5f6412f9497b603888745597a5928b26228fe9bc316d516ae06b08b9ca6af7e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
256KB

MD5
e8abd44cc79cffb7b1fde0af92349ec0

SHA1
f30ce6604adce4a249a85681fffe67efbe0209f8

SHA256
1a6bde1e0294a15634591c53649ff212da4552bcdd4bb87be95368fe90ae7dcf

SHA512
1c3b4eb2e9ec4b7426e83e8fe8d35c935ae56866c727f55fb4bbcd3659735e625d35e740d9cc275c6d66fd1372fc7794de2bb5f0ff05446df06442781551cb45

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
070825070fe2ad27fe6916a1c85fbc1f

SHA1
e61dd571327cf256c865ece3432c2a1fee79dfe4

SHA256
f2ff3aff3c345eba047e4b2e31d96196685bf2a995201a3e0cee34aaab645f73

SHA512
31b60aa98cf509997edfc1c09ee86893e73769889390bc68d08e6dbf97bdac7be8ccffbf6d9421c7d6d8a71fdfd336adc7274a8ca0ceee947d29752d8077893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d18fc2c470e3a012ea7faeedba5ef9b

SHA1
fbb54728dcc91aa6605ea2f6c12ce92561458efd

SHA256
a0295bd95fec3f95a2d34ef5c2b74ce5ce8d8a11b1513f018089acfe930c73ab

SHA512
18ed669280eae5b9f827117da8f0c62abf5c88531299aa7e9709681ea72d6a50ec8f1e8bdf575d18d9a90b60452a417cd904374b720f858932de25521bbec930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259435370.txt

Filesize
1KB

MD5
cc31548c407f0537a0cf7b8f7706c97d

SHA1
a2991eb9b90afa4849e71d90f2747e675c04016c

SHA256
666d41c5202fd7acada39495828a7742a2515bddfbf54a8075cc861127d5a96a

SHA512
3885f12fa035a219682d21abb012112dda2bea1aad9f18ebe06b8e0d5413b682d769dd646a2cab22d6296c8362b3de38614e868523bb2111ec71727ebd77c24b

Download Submit
C:\Users\Admin\AppData\Roaming\eb146ba83db14c9a.bin

Filesize
12KB

MD5
532ae37524255354bc67acef686c3072

SHA1
4ad49711d698c53adefcbdad764e4b4de9cb7f6b

SHA256
d6fcc2c44704167553a8bb4fbef404e4eff7a1bb3e829364fb59326df3defc9f

SHA512
de0f5ebd4a05280339583c90f089e6e5a5e6419784917f46f49fd55b6e40c40e2b0314df877d259c7aca185680ae9a521831c48f0c16bdef085d0f148ad02e9e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
32acdea5a4245ce9157c785db9b4b2a9

SHA1
f9e82136268d3e9f8e9a8e965f05ae1ff5e0684c

SHA256
6459966febd3019d0fd342d4880cd2c87f8f48e3170604340f76971529626934

SHA512
058648bd7f0ceb384b4f72e361e930f2ce44993c558c59b0e1e727d58ae7801ac878114a1c3b79f3a48e081b59fd0b3b4526a818a9501516adf0fcfc3689f739

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
0a68a2c3119a51b6473543886e8795b2

SHA1
a004d2dacf6829669242047f02f650db6c03cf3c

SHA256
33c7d29a0eaab11d630e0afc39dd91f91dc9e4ffab07f981f578b2e5c219ea4e

SHA512
11847cfb8170247d1b1289471c82f63933aaa651ebe56db7c52ce7d5791fa47b72d8473f17dab1d6d777ba96fd762897c3edfe62e5ab28a6598ce38c5163bdd8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
d08b2065e3a1f3252b1621377f07c7fa

SHA1
274bdb6cf8986e56bfd7ff6bbfcefb592b0537a1

SHA256
efd5fc921f24fb2a67ec09ef635bc7201269e91bb087df3504dfb6c184033826

SHA512
3c1f2002c57170d32bebe8a3591f3a17515de445a2fa1bc0e032ff7c11cf8cfa79e0de648a949b4f3a920214e50191a31825e79cf043235b7e57101032d2bed4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b474e6376315dd57c50fa387c19913a6

SHA1
c7b4020a336518dc470554b91c07dbdb134beb16

SHA256
58270eb399a2f57eb32803eeeba0d39585dbfb476fbf48c86f01ae443b2f92a5

SHA512
17e1ff072f19875ab3d6da1dc7efb022d8126db1de0c26c412439416ef12266351066d849ae7cc872754eb1449439d87eb2e137a93acd611c35d52fa220677db

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0ffebf246ada492fe1a643a607d21cf6

SHA1
dda2feccde806884ce6274aaefea8cb321278907

SHA256
63fb740aa9e5be9c5d18be41b97a328f0ce82cb5e8f5a94dd3d3d2966618b950

SHA512
a64b802198a6dcce2982a4bce5dc5abce8b297f41c691605372eed97ccb3dde3b81a52ff09e395866bd6d5fc19ef5b9165c4a4009284b98fd4040ed6d8a8ffc3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
7331ff03c15180a659dd48394bb649d9

SHA1
5574b4db1c7321aeb2b41c739748559b1949db98

SHA256
136972c7f3adb329c2fc1fd5453390b7e77729ea65a0f3f3077bdfa3521d657a

SHA512
751ff602fa7fa9d7cf08741b40704651c4cb03d835caecb1aa4143aff33524b4cd3add1ec69b407fa24b77a98daa10dc7c81741275943a528781b52391d2a4b9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
896KB

MD5
0dc5922a4623bd2b18d493edb4e13c54

SHA1
ff710d90a2a83a32f3a95ab5cfc900e09cc3f862

SHA256
8e2e7762b8331f5ee4cf8e5f7437c7831ac195a76055abcdddae37b994d0b733

SHA512
e3e904fb7270f0030f600fee89b5aa4246d46bbcc4c5ca8d3f0db2f3047eceedc677546f5e55635a6f7e84cf94efc9f5fd9e5787b842eab5ea79622be7073883

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.2MB

MD5
a610cce647981eea7144a33a6f25890f

SHA1
8fb08fa3d7f141ed5af4a95d7932e22906d62c45

SHA256
8c27933fb23e6f149109540aa0ea5b37cda66b6de77891251cffb98f848a7b56

SHA512
5ffb25374aca33f05169986de620f006171bb491d14ba4279d56a64dbfc2f9e38e220241048732ce1b20058f3e2a3f4b368e692dac64202a4830a77345b45e1b

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
384KB

MD5
c7c193f18eae2e9bf6e8bf02ad433969

SHA1
59dc383007ac933658ffb4f8be6be44c62187019

SHA256
624cb0b843e8258c3b595859b304063269354e4acbfc8a113563be78762018c2

SHA512
28914e7da13c9a7844f63744ce38f49d49c925298854ad5d11247b8f8504ff7c74b4bc71e5aa77a4e0a951ce52b52c1006381d6f7a9a43df8d630dd7d2edc232

Download Submit
C:\Windows\System32\vds.exe

Filesize
320KB

MD5
95142cc294167e9d670968c0639d704c

SHA1
123201813e132fd1e58903ea6beb11626bb19e6b

SHA256
6466d07785e5f64ec1656ed9970fee9f53ff58dffb2a1953d93828c30a7d8d9c

SHA512
ff37c7407416b998ad4eb4ecc66ada960a3d47dc16e804ead6cab835833b4e6394c35fa3397fc26e7d102050fb05d2f8713415c309de774bfe026bd82004104c

Download Submit
C:\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
0cdda5cee0ae0bd2a81b8cc4ef6fcc40

SHA1
1e968f3d9a9c60894f3b6d80f020c28ce6054440

SHA256
b80415f943730a3a7c15180edabcbc79db329134463f31ee5e659de33efa35f1

SHA512
4a02cb7cbad65be1bd0b21bea4c6ff5278405adfb9145b282a9873a178917dc9ace01581c37932dceb35d041447bb3a1251e943ed6366bf20bcd8696b13b3e53

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
448KB

MD5
9364070ae4b7d62620c9e0da9fb83c94

SHA1
d24dbbd7b536c9d5761387a40ad5d7c7a8136c55

SHA256
cef79784530d77b770ac8437b92e03f7ce82bade80abc05c289dd1f0058a069d

SHA512
81a57663da38c3bcfe9174ec478c645a11e7b35a1c71ec6333dc5ccd663b3d633c4c07824de0e0f9a3302a42ebad9716bf2f6e571fa8d6840c5e411a611cd05b

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
c269b1626d5d20b767cbf7a91e0bd875

SHA1
1ef60f5362aa05e0cc4c5262ea430dc54d3f9bf8

SHA256
05d0ef91827f0a1105c111ef19a6a48f1edb363f31ea7fcd9a21d810def895a7

SHA512
8f7a8057f013aecdc69ce0e4bea9f0f4f86b1e291bfb15d2c4de7ad5b01d64ea4c16e70d0ca9f560dda7db05c0898343ae34435f5d0c665844bbdbcf04f884f5

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
960KB

MD5
8ad57a42a6cfee4774d19a37afe36e19

SHA1
62e5eb388fc0b4d5dfb28651d8f842233dde15fd

SHA256
e6d4ccbbb24fdd9f8a22c021728e607f9385c32822405e884c810a77845e57bc

SHA512
f6aad6ceba01c14272534e92525bc3fedd2d7995f26796d8ad8cc34a9252dcd40388e50f815cc47cf204e0bc710c8ffb3879c697e2fa0f8a1be48e30bdb84f1d

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
43711815ac6cf6a6cae1e1f50fe70529

SHA1
4b11370855fa33b14afc272b0bd50a43184f36e0

SHA256
ca45036fce26ad47e1f2c557081e097ca1a90bee6c5688b32f9f91ab9231c2fd

SHA512
8088ce87519e625745ce0a015737f1840578924286339b6e620020461183e6ea88da4ec33aaca63125d3c62495fc2ac339e46a783b25f55b06c3bf9ca913069a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
40d9b3624108a8e045555a7cc96a8b94

SHA1
a088e8c51ce5036e5aa1734f3cf6897f6a593cdb

SHA256
414ad99d79952f19907f1a00ff5dfd0d78c010e8c8bb29007e6c81547c3d19ed

SHA512
50080801cd7a726f9a1fc18123ae8edfd2cd5b37e60f3ded36de772af8ce8bf482b899bee6f55f4915957a81c400312556019315bd758f296a9c804d937ac2a4

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
e8ded9a673c06663cd5123287f7f9be6

SHA1
932c665871c33e8f4b5d144f86665e14fd8e3b7b

SHA256
f6d048c368b8d49d2eef77274fa72d072dbb1d8b25518d0eecddadd821fddc58

SHA512
7dfd959c6e38438d057bc8f27fbcb240e2581a80586e667edac1b9a107af87c4b8b577f2c66ef89565980963677434cbc2e4e915ebc8c4b67c1264be4ed48e3c

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
5c760ef3811efd3cb357f176d43aadca

SHA1
eb4c4a2d7230a565918c99949345ef60b0e6bcfd

SHA256
c42f0dab79fd8fd47df0b56c40d96a3f5a3d897a2f7c61b8359e29303b028eed

SHA512
04e2cf6d793d03b965512f2a28577bcf48eb65ca045525928f40b0eef8dd2ecb2cea8379a5779a22387b0516587b6629136036155cfbd0b6defb66385aaae5b4

Download Submit
\Windows\System32\dllhost.exe

Filesize
577KB

MD5
b4408a438d93fe471775dd912eea8621

SHA1
ec7fb98e831d0042be21ab7b9eb301bb502e8044

SHA256
2dd0c884f4f8c9c39ac6ef7c3077b57e5680e2e5469cb5bde7235814f91edfc5

SHA512
c7d59675c2f986a6ff08d23738e030e1dc1fdd8815dc40e9f64676b4e0994007fe4f13cc28042a0ee01c3c52b30d5a46a3b14af9336b07177f60b6c1f6dc8413

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
e40503c8541bceb7c3da24c9812f2c95

SHA1
641e5bf4a3d42ed9eb2da43327c082398e53fc56

SHA256
40f1eca8c8761d173629a8102689d332e53e497025dcfbeb9f8151983ae0190b

SHA512
c94161976f0ae454764174eb18ee22c9c4926bf36be654e4ac81dbd1b0e88cfa5ffde005a7a9e2e04619463209331e91e72faba5b605cb251298b14f70dda2e8

Download Submit
\Windows\System32\msdtc.exe

Filesize
705KB

MD5
4b0b50afb4ba7f5cbcde9c53d61b1b7e

SHA1
76c7c4ad70adb1847d1e3633cc1e60db26f9f4b4

SHA256
571c975f9598fad830e628a69c7d4f8d3e9eee424c8c07b17ac18827d3f8ef17

SHA512
5141e0f4010504af7f0027776716bfc3a31d644dca9ef9ac20dd0b138d3ca29f205860fc7dd4509413c6b5c61dba1fbf916e61520c70d8741e14b68c1ec4978c

Download Submit
\Windows\System32\msiexec.exe

Filesize
691KB

MD5
7b8c00a3ceb6d0e148ff639cbe23123b

SHA1
568855c95a2ae51d9baf4a264d149eb485bf332b

SHA256
451b33cd874afb6b8316de23fd25214b58e960d0eb46bbd2df26597fcd9163b0

SHA512
b084597bdda3ae739503ff8a9cef2fc6925077c2096365b0185a50e5b21736ed7ece6b699602db5557652cf8ebd4a7ab5fec957ebc008b118d4f39f0d1f80c1c

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
3107d16512e375fbdd8d0cf0a79891a5

SHA1
08c3a0e91e2fee378521deac7f0186b7ec3acf71

SHA256
112844fcbe6f55d3c9fc8ac524bb187949d66082c5491fcedf5a5db7bbc94690

SHA512
0d3f85d3fe4d9b1e6d9d0751868a1561776af5cb23fa27f2099c075b83224b93b11eb192cbf7d09b8f0c0420e2e2dc448f8de6df8fb00847d465fda43d997f2c

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
de5862cca71068c0fd146581f94f82ed

SHA1
de3b40cf0eaad1c9120e09ef230d67923f2b22aa

SHA256
54bdaefc5e2ae40139cb5039da62f16f161c93142e671f30356e0e0db5ba0be0

SHA512
adacfae376bd5fa42deb5b5b5dacfedcf472be32a4afe2359c358d2bc309c339671a230d348487f7317b609e5df9a11a3e29a50e6a7d3a76b509dedd1dd9f92c

Download Submit
\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
aa12d767ebfc744e08d5a1143e4faedd

SHA1
233a80fe4f43163e19685b9cbacee8e5213e3b6d

SHA256
2f2da0d6e55025c117d6b4dcdaa5f350e0b838ce65e8a5a60ff7a547a8725974

SHA512
b20da89a92d4bc1ad83c2bbd78fead305bcacd7f65cc4efb2281907603d7741b29126d62d3aabdbbf50b47a02a1e7936ea3890b630e0da92ebc9bd355a071482

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
7f6486e68b6ee285fc564ff1b41019a6

SHA1
d71f24c7fe907d784d394a129489bd194b83ef9d

SHA256
741730b1e33bcb59b2e6607f438e26c03b170fce5269664da2f9767991b95d0c

SHA512
c45276181c5d0abf2ae937fe464b47fe2df6b205e39c91f9d72b344a918c8ae1df027a8c9838e50e26b18e39e6720cf1c35951ac2999d985085882ed40142398

Download Submit
memory/524-147-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/524-139-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/524-188-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/568-117-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/568-64-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/568-63-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/568-70-0x0000000000580000-0x00000000005E7000-memory.dmp

Filesize
412KB

Download
memory/1072-287-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/1072-280-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1100-322-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1100-323-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/1528-101-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1528-100-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/1528-106-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/1528-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1648-200-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1648-204-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1648-217-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/1648-218-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-299-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2036-292-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2208-219-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2208-215-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/2208-232-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2208-233-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2212-8-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2212-47-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2212-1-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2212-52-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2212-14-0x0000000002730000-0x0000000002B61000-memory.dmp

Filesize
4.2MB

Download
memory/2212-0-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2212-7-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2276-225-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2276-177-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2276-198-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2276-160-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/2276-152-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/2336-165-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2336-208-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2464-271-0x0000000000590000-0x00000000005F7000-memory.dmp

Filesize
412KB

Download
memory/2464-274-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-187-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2468-203-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-189-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2468-202-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2556-247-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-242-0x0000000000280000-0x00000000002E7000-memory.dmp

Filesize
412KB

Download
memory/2556-260-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2556-261-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2604-138-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2604-46-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2604-49-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2604-60-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/2740-12-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2740-20-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2740-99-0x0000000140000000-0x0000000140431000-memory.dmp

Filesize
4.2MB

Download
memory/2740-19-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2768-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2768-27-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2768-36-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2768-37-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2768-119-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2808-234-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-248-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-246-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-231-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2868-305-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2868-262-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-259-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/2868-309-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-179-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2928-128-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2928-121-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2940-113-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2940-78-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2940-79-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2940-86-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download