68e3e732019b48203715fa1a3bc05c4ee592e6e902cc0c57382a48b38afe0501

Analysis

max time kernel
47s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Size

691KB
MD5

f1a9847484806401ae1bcb5849f94607
SHA1

2ff5f5ab4d5a42d221d9e36e779aee66bb9e51e7
SHA256

68e3e732019b48203715fa1a3bc05c4ee592e6e902cc0c57382a48b38afe0501
SHA512

0db2749e07b2ddb533e4fb61240aceabd6d1ee0a25802b3cdb5d53fcf49cfef4ec16f8a5a01ffc827cd16f709784c797214cc00915006aa70ecd5d6d5f89db37
SSDEEP

12288:4racl3u3JW2gh92q5H8k/jLUKciwGEBg/jKypVrtvzESII:aaclkJW2Q2tA+Bg/jNRV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 28 IoCs

pid	Process
468	Process not Found
2824	alg.exe
2520	aspnet_state.exe
2648	mscorsvw.exe
2580	mscorsvw.exe
2476	mscorsvw.exe
684	mscorsvw.exe
1992	ehRecvr.exe
1632	ehsched.exe
2808	mscorsvw.exe
1912	elevation_service.exe
1352	IEEtwCollector.exe
1636	mscorsvw.exe
564	GROOVE.EXE
2112	maintenanceservice.exe
2292	msdtc.exe
2316	msiexec.exe
2548	OSE.EXE
780	OSPPSVC.EXE
1968	perfhost.exe
1816	locator.exe
2760	snmptrap.exe
1984	vds.exe
3048	vssvc.exe
1896	wbengine.exe
1356	WmiApSrv.exe
2352	wmpnetwk.exe
528	SearchIndexer.exe

Loads dropped DLL 14 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
2316	msiexec.exe
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
468	Process not Found
772	Process not Found

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\227326b77df8f25a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\IEEtwCollector.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehsched.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ehRecvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	ehRecvr.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	ehRec.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2936	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	684	mscorsvw.exe
Token: SeShutdownPrivilege	684	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	2476	mscorsvw.exe
Token: SeShutdownPrivilege	684	mscorsvw.exe
Token: SeShutdownPrivilege	684	mscorsvw.exe
Token: 33	1376	EhTray.exe
Token: SeIncBasePriorityPrivilege	1376	EhTray.exe
Token: SeDebugPrivilege	1052	ehRec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeBackupPrivilege	3048	vssvc.exe
Token: SeRestorePrivilege	3048	vssvc.exe
Token: SeAuditPrivilege	3048	vssvc.exe
Token: SeBackupPrivilege	1896	wbengine.exe
Token: SeRestorePrivilege	1896	wbengine.exe
Token: SeSecurityPrivilege	1896	wbengine.exe
Token: 33	1376	EhTray.exe
Token: SeIncBasePriorityPrivilege	1376	EhTray.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2808	684	mscorsvw.exe	37
PID 684 wrote to memory of 2808	684	mscorsvw.exe	37
PID 684 wrote to memory of 2808	684	mscorsvw.exe	37
PID 684 wrote to memory of 1636	684	mscorsvw.exe	42
PID 684 wrote to memory of 1636	684	mscorsvw.exe	42
PID 684 wrote to memory of 1636	684	mscorsvw.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2648

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1d0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1c0 -NGENProcess 1c4 -Pipe 1d4 -Comment "NGen Worker Process"
  2⤵
  PID:1728

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1992

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
- Executes dropped EXE
PID:1352

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2548

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
- Executes dropped EXE
PID:780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-406356229-2805545415-1236085040-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  PID:1696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
  2⤵
  PID:1264
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
91114970b1e946360d5be47ccba692fe

SHA1
3c6b081842cb060c814a3d50ed86b5396f6c1641

SHA256
7d0a7c43210fd6b96438003922d4d5f5bef12510a3503b6eb9c26472c30000d9

SHA512
f07cfb7f123a6a62f56e1bf666f4e356f0aa928eb4f22af37b2be4dd91d0d0ae1b40a30c8df29146233634aa2486a4cd7b50d503c3b246f78f709560ec8dc9e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
9.6MB

MD5
3e7344c90c9b8b875e59369360d0c5bf

SHA1
5016644d6fd2e9c0256bf58afd4c2eeee765f464

SHA256
c1892ef8d045c5c922db195f717650ce78f8b1c6348234847e8cd6e09b0b6b29

SHA512
7f83fb52f1fc1eddd14af2a180e61882a010385ff09f45a8eecf7bbb918ab9050e8062be7955cf4745b7ad3d8e7e91fa2291e433501656885e836acfe95208eb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
cb27e08f64ef8b9854c5e44e4785a49a

SHA1
c10f7265695c8a01489409d3f8698e18d0380829

SHA256
5f270778d67094113f96826b03808e9a039c331f03118ef5eba91e618408b248

SHA512
72fbb759de1dbc101dac98c4d839edc61cc00b0952d4cf4752039c6780e8a8e23ab4f8ace84910cfe1ec95fd3e6147c1ea94e4c1beca287f85b45f7b3982fbe1

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

Filesize
2.2MB

MD5
74d781e5cf4b65eb3e0a866d1a733d36

SHA1
b17caa52e8d530c193884dc7fcc834548683d60e

SHA256
ed7d11f3d52813e5d57b9125f6120c1be2723361001f54aac0d691a0384ce0f9

SHA512
b4f686495865e4a57699e09f9bf9ee7cd840bdcd8ad26c7a609e9cffffd1b8b124e197e4d107b033efa969a88cfcd27a6caecabed049b980101e25d18dffbdb0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c7f0a85b75dc3e5e4485c9f872627a5e

SHA1
5919430520e16943f6eb32795a96ccafd304767c

SHA256
d69f599472c48a592f90158cc72d88fe8b5bd6deb56a71b95db3331fa1f9defa

SHA512
ecfc3be2687a6e22c95fe17ce2dccb1badaad20ab8268392592fdb7711c181ca2420cece7b86c1ff8db13b8d4b50cde543f7eee1c82e15653cf658e534b47643

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
c5d0435dfb9c35483566b872670e5889

SHA1
6a953801732060a197e949031be3e670ba141a32

SHA256
8ae38ecb80d0bb15f325b95e09be64235f7bed0e7e4d00293c7eda2c0a9390e6

SHA512
0d40517720271c799a790debbde357e65cf29266c220d212fc688ad043461a93cd0674bac48dfead99c211a60af6bcfcfa8d59679652c87ef380163138e72785

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
e323b09b4591dc98099fa14ab5aba90b

SHA1
1c611cdf41389c76f8e177eb94bb3446c733a307

SHA256
93022761f00c8608b19420f51b65061065cf5e0fa351f93e91b3e6d91661e93c

SHA512
e82f58f3194379dbcb6b71bcf5ada21b5758a251f1c5cd848746ab91f23d47ae21a88f6f9a7d406b97b2f262cca4232832d29c7d8b606d1f03e5245fb899dbb6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
fc563eed57e170d609225c5ea59c33c8

SHA1
4acc579b9850aa5d6faee3461f7c1d9bca96f2fd

SHA256
434143e49bd1bfe3ec8afe13d99a65baf465db82c67e941b30bd345e150ab8f6

SHA512
7cf9eca5db43872908c7e83c31384253bbb4a55aa2bc53b91d92de315575bb24fb89670464ddf308633f09cfad0bd108f572e65f8363d3f882e03a6a31b04c06

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
625KB

MD5
4e9dbaa9931e3fb110cd14c12dda95ac

SHA1
b5e0970991867c2d231612ceed081f56d7a782a4

SHA256
dfd85c9f90290b153e6cc2b1f56a1ba2bec47ca70f2e05a2599abc2f1f7c290d

SHA512
0916dc88b3f541a41a65daeee3d501f7d768aec6c91db0cc78d899a0060921946bd65b414349600316740bdaebffa49287abea8c23083070fd648f9ee2085f87

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
90f9fd5dc68b4890cbd1e8273461ec62

SHA1
feb6437584c850721fa5b410b55a71204bcbd635

SHA256
fcf4daba221f67ba286b35ebbe858996eb89950b9f0c5df1a2be44a80dbc5abc

SHA512
ab614535027d992186643b7ac5fef1e4f25ca12178473331e28fb48071288aa3f5bcc48052c87712496c9c9abd65d11d0f79e685dcdb9a3406d9139f5e2f57f4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
95754e6e571f8c655cb3c0d8851c4618

SHA1
2f7d24d9a097461c7a9bf26bd6eef1231cc453b7

SHA256
ac3faa093cd19ab85cf1fcc362f8477f2390713bcb3306eef7fe02bf4a801ac2

SHA512
951233ca705ca7123d2ebf3301cffcf03204efa8de6256515d119c11215724b7a3e31e6da6c9c7711bbfc721ccf00eb28aec0ab08b7388ee53844a5fd9620f05

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
587KB

MD5
ddf016a377e15e5f33d3ad7bc354734a

SHA1
034c8bece4a2a69f322c64a664a86885b7ca2920

SHA256
a4021f06cd0e9cebf214f09688be2c5d653cf98afb0e2fbbb1161f2387dcfe92

SHA512
64f9786d57650d92089397a753f59f178c79022318421d36091994817e2e72c8cb39c95a0ee99157999da2cdd213378a20e19cec15ad6fa53e84ee4227e1c0b9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.1MB

MD5
5cf41ffb9e5db2ef185e99c9e6d59d35

SHA1
b7865a650a4908d3b5f009c77c1fe9dc74b38a12

SHA256
c39896a016680b9f895c83a9cac0c2eeacb3d822e6667c3798931920144828ad

SHA512
d1572f2ea7695095e2296b9ff4f40d04936ee3e7556ab73ea9549696e613cf36afcdfc9249868465a7f5624feef05d944739abbde2d0e8644d5e5b213cef0427

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
1.5MB

MD5
5dc93ab2118a0a62badaed346046dc73

SHA1
7d9deae18563f62b53840a41fa912a22abbd76f3

SHA256
f4f4b3091fec69f4df773bfc8338dd3d5785a18c433437eeeb78a592994892db

SHA512
2973eba3e2701f5c0505c7e4b573cfe7996eaaab53eb0f029a5758729b8169655349fb6dde840532682956dc27a5ed17a852f88d68b0160a7a37eeef323e5a4b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
705KB

MD5
e28b829417f86f91e8b7ca5c3f257a08

SHA1
de8a7e378bea7d1bca9d1ba448a7b7c24c7ff066

SHA256
a0fce7bdbbd728e6f65d11abc1af87c293b22b6c6b6b48ca45386233df8539b7

SHA512
89fc70806cfb5de733e47683e83cbf8113ed91257f467c73b54a0de7bb106a24690000a56d3038ea56d642a717259c41c2fbdc8cbfa0b4c54d7973ef56807360

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.1MB

MD5
e4030926352a8995b164a08b99d42138

SHA1
c8cec8f356f19e73a71bd28c99916e2da1086ade

SHA256
79ce33fa3fabbf7095a9a98b4f8263fbcf20e880278800a285e62c54065518b1

SHA512
5afca1653336f02235c8af37b623c1f72873ed50bd43acc07c2842991ad8e8812310470b72542c8e4577248dfc90b01ce68b72bf06c480635a8d428c82756dda

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
896KB

MD5
acbbbb02692e9808fdad46799b45e82d

SHA1
949fe1fab6a28466bfd82af751239681a73cdd0b

SHA256
be480214c91387957e189e0da19632b60b9dea85828a4cf88d5e2dc1c6812e7f

SHA512
e2620041159c488923accb0f1ecb4626746e6fe152bdea34e496a91a9fd3eb0d4fcb42617c4eb9c20092d1c38f464b1ad4cf55abaabade02ac132fba88e00635

Download Submit
C:\Windows\ehome\ehsched.exe

Filesize
64KB

MD5
2ff024f9a6c3540d63eb68fda070a586

SHA1
fe00128cb0b9d39d2d92bb699aec588b93e41bd1

SHA256
9e57cd53f03ca6e3e7010485e8d0c687b40ea31b004ca599f75b2708aee52147

SHA512
55a3abfea4bb67ac1cb780876a1579bc70dcfa525efce563c1eaca1cd6ab7b31ed0de155bca09a2951e539bfc3318899e3b0308d3e468e3d7baa3505c0f6772e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
691KB

MD5
25a9244be3afffd3ff9c3c9a615f86d3

SHA1
52f0e4ba9a3363eb253fa86665e155479782a363

SHA256
1cc4c5a152666770a9d6f9a51995567b4e730333c6186a59fcde2891cf51bb6f

SHA512
02e8c7d52b94ec8e56750ab42d0eb1d7003143ab637846afca821c826f464ce2b02e2da8eb4cc440ee7eb35e7edaae4b08fa903e47bc99b0d34e02e7ace6b743

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.2MB

MD5
06b968f08ef3f52db51bf76a78c8d9ac

SHA1
b0d25425f33871b8844410d88b0beeac29dc138c

SHA256
37c81ba23a32142c66712ed07429db00e4e10eb7949e6a2b4738170f0472ea2b

SHA512
f355c99ad9673bb4f16d1c8548891e57bb09ee5833050af23865e01d3712b1ec9897a3b23f8f53f05cd22b7a98a0818d44fef5f102a2ac6130605a14a8d43d86

Download Submit
\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
2.0MB

MD5
3c0a1cff8bc366cbd568d50f1ef072d1

SHA1
bdd4b4193514835a4dffd85f4228da3d35a75432

SHA256
28221a54707a5adcf2dbdfb55fb0c4f4b4e9517549cd0472a5eab317a5d9e528

SHA512
6f467cd771ee29103c4b6be506cce4858e3c58bf5864d12eb3fb9e9dc1291bb2a514bf3acf664aec413a9f492674111d91e63b1829dfbe1b0d98643a7577b9ff

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
648KB

MD5
442638155ede9f2016e7cd3566da6024

SHA1
bd35e0db1a60c0e233ed6e328d455fda52fbfadd

SHA256
b862ff9a6b9c6064a7eadd92f207deb7f0da0bc0e76358c467466d37cb16cf32

SHA512
acea3938637fd1ca9bad617a13d7049dc1028bb2bbffed1fe9fd65ba4946a43e9e64919588382ad5650def90dc918bc2f51d15029b02e58f4d9ed1ee38e4e57a

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
d906232e86c4facaaa9ee57812750c8d

SHA1
41fef8486ab235aba333b21354a2442a418bb1d0

SHA256
c09b8907994be0a26f8f63cb7ff9699e354b3f78b434cbaffb2b14958c10f620

SHA512
5931336fc9132e566394712de3eb76f03978edf78f66d74a858e5775a21ddac15daa5c9d772d5b360cbb3e3ca8cf21964f76381b553d741d2170bbdfc709287e

Download Submit
\Windows\System32\Locator.exe

Filesize
577KB

MD5
13eb4c0f02fadbc1f5ada967b3a2e47a

SHA1
ddbe94ef0f20bea96ecbfa1fee7cf5779559e710

SHA256
6a50e736ac840fdac75c95be572921b62745b3766f937aa0e580b2d6cc271c10

SHA512
a5b49665f366742dc501d3ea37cc2ba17791484c83fcb952f9e19a5283fc1b51f15277bff4bf8f8e61cf6769af96b74735873bf0e9d11c4643402b2fc84b3fee

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
d1ac1543b3dc6da8ee9f12fcbda26d91

SHA1
efb11efbea4895111841a18785779dc22301a737

SHA256
4e239787608c6311eeb6c392c3c2f1476a3e2b4891d8bcce51c753639e223509

SHA512
74d198c2277fba4757b693eef1c77a643c764c63d922591c8f82207251db2078c09cbd2f95df9512fdb88782a9226f7b8b59980aa100ae80dce07d9277b09bca

Download Submit
\Windows\System32\ieetwcollector.exe

Filesize
674KB

MD5
a146b860b650379c206e9a9aed31b3bd

SHA1
4a4b520253f57654361c0327431e4334c3695ca5

SHA256
355828e994baa3cb048a740101cd34b41391cf81a276ea86ecf77989a95f86db

SHA512
2a91c5dfc9516b37cb48ef43215c59a11c2c682f13127560434e96ba8dfafd804f226a89328b6e44bbc3953ee7981d2e85409a69627f09d6233d0b90076b0121

Download Submit
\Windows\System32\msdtc.exe

Filesize
433KB

MD5
c8e88823d459efadfc400dccc1fb9f2b

SHA1
334f182f31ab27505ae407ab314967d5c2b4c802

SHA256
26dff38b52eb06e8559ae4d5f83843ef9b017029412ee94044bd62c0300a4093

SHA512
ff96e2378b9547f5b763778eb79746b2c9ee72519c1607988026245250c9329ea6f990b8a600a9910f8ac49949fc125730cab5d60fbb0965468653dcccbae845

Download Submit
\Windows\System32\msiexec.exe

Filesize
128KB

MD5
8d63ff9fee9b6a2c325dde7d58442c65

SHA1
d8efdb88d8aac0b29352c2d4517a68d8eed6f10c

SHA256
79f9255e24cf1c923933b823981a9ef1db0ac16654633c3aef68eb7c7d0fbbfb

SHA512
92615485d23d41105af68d2b47b0a98252cad18cab01ac331760d78b42d894b3348d861b7ba7f68e76a5eb69ed88fde2dbbe82f4b46fd3b5a4daa130af378b12

Download Submit
\Windows\System32\snmptrap.exe

Filesize
581KB

MD5
7cda89b69b8e39bf4612b2e9370a5bcd

SHA1
21b1cddc4e544390ee0491366ed8c24255e873d6

SHA256
e5a26c8ae443405889f0609f924f12de0c0350341d105e7863ce93c329fb33db

SHA512
643358e0fc28cccfc048da8cd1b889c054cf3a9c42cee210551086f8b9b4ff423870f4f50823fd5bc9fb3314c166fef54c3edd2031973d980a9c980143ed5dfe

Download Submit
\Windows\System32\wbem\WmiApSrv.exe

Filesize
765KB

MD5
da79d372743ff2ddd66cc625d1f98983

SHA1
66ec8e3b474e6565ed172921c580a7f0b7da5970

SHA256
a05f2ca6a95c2f3d62a02cb21bc60542275e1afaa11a3b87fd8ab6a19c7ed524

SHA512
977fdf8e4d66f072103c38b2e389b3ac734999c88db9f426fe13e9a3e12f160d326bab31a3b4ca2b450f5a8cdc54f2b4af832ef13f1f5c5d5c17569937793e12

Download Submit
\Windows\System32\wbengine.exe

Filesize
903KB

MD5
4720ebc839524763fc6cc9aac81e94a7

SHA1
25917b6c400a0a9bb364e128dba48cd13e8043ac

SHA256
b573c99613d58725ff314d025c4c9a2a94975ee200210a03a80c85fc2c9c35d0

SHA512
ae34dee4c6057b0b1523aa50df57881ee1d1890bbbcdff46d8aeb7051bf7ff5fe18c2726dda0dbf4f7e2065475891e3382f2381c8d17b48afd92a59d6558629c

Download Submit
\Windows\ehome\ehrecvr.exe

Filesize
1.2MB

MD5
2d13e322b388aa493a1679a47cc12d7c

SHA1
157172c2712bb150966b9f97354c773edb269e5d

SHA256
f776598dc556ca82658469a3df52764be1aecd4d4d54566d25d4752a6eccbcae

SHA512
a7147eb6413b81e936444ca8a9975d8e3b036f2b536ecaca359e74605ab0c89246081cce758a358ccf964f782c56df0fae58328b5762ed3cde684fccbe5d3ae7

Download Submit
\Windows\ehome\ehsched.exe

Filesize
691KB

MD5
49a50a30beee065e9cbfe1be5c969378

SHA1
070497770cf1be04cca66f3e4ea3fd8325ff3a4e

SHA256
2ca46ffd09c748a44f7b081f8e9b5bd042643caf61b7e26002cebe29e00ecfc8

SHA512
12a409c5257c91768c63aa2cbc64e2c9068f9aee928154b3a1a14368e730e3de926175ce2358e2989c06859c8183f438ce258534f483da2c654aac51497a25b6

Download Submit
memory/564-236-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/564-234-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/684-73-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/684-78-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/684-148-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/684-71-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/780-261-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/780-259-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/780-252-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/1052-302-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1052-226-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1052-223-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-264-0x0000000000A00000-0x0000000000A80000-memory.dmp

Filesize
512KB

Download
memory/1052-303-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/1052-291-0x000007FEF4C00000-0x000007FEF559D000-memory.dmp

Filesize
9.6MB

Download
memory/1352-228-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1352-244-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1632-120-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1632-257-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1632-117-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1632-107-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1636-229-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1816-279-0x0000000100000000-0x0000000100095000-memory.dmp

Filesize
596KB

Download
memory/1816-287-0x0000000000150000-0x00000000001B0000-memory.dmp

Filesize
384KB

Download
memory/1912-145-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/1912-138-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1912-285-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1968-273-0x00000000003B0000-0x0000000000417000-memory.dmp

Filesize
412KB

Download
memory/1968-265-0x0000000001000000-0x0000000001096000-memory.dmp

Filesize
600KB

Download
memory/1992-106-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1992-249-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1992-110-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1992-94-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1992-100-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1992-118-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/1992-92-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1992-260-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2112-205-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2112-209-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2292-239-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2292-238-0x0000000140000000-0x00000001400B6000-memory.dmp

Filesize
728KB

Download
memory/2316-241-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2316-243-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2316-308-0x0000000100000000-0x00000001000B2000-memory.dmp

Filesize
712KB

Download
memory/2316-245-0x0000000000570000-0x0000000000622000-memory.dmp

Filesize
712KB

Download
memory/2476-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2476-56-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2476-61-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2476-136-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2520-28-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2520-109-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2548-246-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/2548-304-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2548-242-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2580-80-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2580-45-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2648-85-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2648-32-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2648-31-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2648-37-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2760-306-0x0000000000150000-0x00000000001B0000-memory.dmp

Filesize
384KB

Download
memory/2760-295-0x0000000100000000-0x0000000100096000-memory.dmp

Filesize
600KB

Download
memory/2808-180-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-124-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2808-300-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-125-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2808-133-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2808-178-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2808-177-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2824-91-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2824-22-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2824-21-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2824-15-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2824-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2936-70-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/2936-0-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/2936-7-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2936-8-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download
memory/2936-1-0x0000000000390000-0x00000000003F0000-memory.dmp

Filesize
384KB

Download